Reputation: 2038
PostgreSQL COPY SQL injection
I am using PostgreSQL 11 COPY command to import large CSVs into the DB with Python, like the following:
COPY "ns"."table" ("col1", "col2") FROM STDIN WITH CSV HEADER DELIMITER AS ','
I didn't find any recent information if this operation is secure in terms of SQL injection attacks or should I manually go over the CSV and escape every value in the file (which is a very heavy operation).
Thanks!
Upvotes: 3
Views: 1301
Answers (1)
Reputation: 246453
There is no danger of SQL injection with this command.
If a user supplies bad data, then you end up with bad data in the table, or at worst you could get an error because the file is not correct CSV or because a constraint was violated.
But there is no way to subvert security to execute statements, because nothing entered by the user will become part of an SQL statement. With COPY, there is a clear distinction between SQL statement and data.
Upvotes: 7
Related Questions
- Python PostgreSQL COPY command used to INSERT or UPDATE (not just INSERT)
- \COPY TO Postgres statement working in bash but not with python psycopg2
- Using COPY instead of INSERT within python for postgresql
- Error while fetching data from PostgreSQL COPY from stdin failed
- PostgreSQL COPY command issues
- How do I use psql "\copy" in Python?
- Postgres COPY FROM command not working through Python
- Can not "COPY FROM" with Postgres & Python
- piping postgres COPY in python with psycopg2
- postgresql+python: how to adapt for copy_from?