Is COPY tablename FROM stdin with csv in Postgres at risk of SQL injection?

Asked 2 years ago, Updated 2 years ago, 113 views

I'm using python, psycopg2

When the following code is executed, it reads the contents of the file once and writes it from standard input to DB.
If there is a description in the file that allows SQL injection, is it possible for the OS to interpret it and cause SQL injection?

conn_config=dict(port="532", dbname="test", password="test")
with psycopg2.connection(**conn_config) as conn:
    with conn.cursor() as cur:
        with open("test.csv") asf:
            cur.copy_expert(sql="COPY test FROM STDIN", file=f)

I read the official document for psycopg2, postgres, but I couldn't find any related statements.
When I tried code execution, I didn't find any behavior like SQL injection, but is there actually a risk of SQL injection?

python sql postgresql security

2022-09-30 17:35

1 Answers

Depending on who prepares the target CSV file, the level of caution will vary, but I think it is risky to accept the input data without prior verification, regardless of whether it is malicious or not.

I don't know what format data it contains, but if it contains a string that is unintentionally interpreted as SQL, the data can be corrupted.

reference:
Yahoo input validation "Don't believe anything"

2022-09-30 17:35

If you have any answers or tips

Popular Tags
python x 4647
android x 1593
java x 1494
javascript x 1427
c x 927
c++ x 878
ruby-on-rails x 696
php x 692
python3 x 685
html x 656
Popular Questions

573 rails db:create error: Could not find mysql2-0.5.4 in any of the sources

582 PHP ssh2_scp_send fails to send files as intended

881 /usr/bin/google-chrome:symbol lookup error:/usr/bin/google-chrome: undefined symbol:gbm_bo_get_modifier

916 When building Fast API+Uvicorn environment with PyInstaller, console=False results in an error

619 Uncaught (inpromise) Error on Electron: An object could not be cloned

© 2024 OneMinuteCode. All rights reserved.