Is COPY tablename FROM stdin with csv in Postgres at risk of SQL injection?

Asked 1 years ago, Updated 1 years ago, 87 views

I'm using python, psycopg2

When the following code is executed, it reads the contents of the file once and writes it from standard input to DB.
If there is a description in the file that allows SQL injection, is it possible for the OS to interpret it and cause SQL injection?

conn_config=dict(port="532", dbname="test", password="test")
with psycopg2.connection(**conn_config) as conn:
    with conn.cursor() as cur:
        with open("test.csv") asf:
            cur.copy_expert(sql="COPY test FROM STDIN", file=f)

I read the official document for psycopg2, postgres, but I couldn't find any related statements.
When I tried code execution, I didn't find any behavior like SQL injection, but is there actually a risk of SQL injection?

python sql postgresql security

2022-09-30 17:35

1 Answers

Depending on who prepares the target CSV file, the level of caution will vary, but I think it is risky to accept the input data without prior verification, regardless of whether it is malicious or not.

I don't know what format data it contains, but if it contains a string that is unintentionally interpreted as SQL, the data can be corrupted.

reference:
Yahoo input validation "Don't believe anything"

2022-09-30 17:35

If you have any answers or tips

Popular Tags
python x 4647
android x 1593
java x 1494
javascript x 1427
c x 927
c++ x 878
ruby-on-rails x 696
php x 692
python3 x 685
html x 656
Popular Questions

520 PHP ssh2_scp_send fails to send files as intended

936 In Java servlet, when SHA-256 sends WW-Authenticate header for digest authentication, the client does not return the result.

506 When building Fast API+Uvicorn environment with PyInstaller, console=False results in an error

510 Understanding How to Configure Google API Key

528 Scrap text information after the "View More" button when searching in the Yahoo! News search window

© 2024 OneMinuteCode. All rights reserved.