| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Pavel Stehule <pavel(dot)stehule(at)gmail(dot)com> |
| Cc: | Dennis Gearon <gearond(at)sbcglobal(dot)net>, pgsql-general(at)postgresql(dot)org |
| Subject: | Re: vulnerability of COPY command |
| Date: | 2010-05-30 14:14:26 |
| Message-ID: | 5321.1275228866@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Pavel Stehule <pavel(dot)stehule(at)gmail(dot)com> writes:
> 2010/5/30 Dennis Gearon <gearond(at)sbcglobal(dot)net>:
>> If I build a text based, COPY file for bulk purposes, to be input via the command line, is Postgres vulnerable to SQL injection from that?
> SQL database cannot be injected via NON SQL statemenst like COPY.
Well, that depends. If you construct a script file like
COPY mytable FROM STDIN;
... data rows here ...
\.
then obviously somebody could inject SQL if they could get a line
beginning with \. into the data rows. However, if you put the data
rows in a *separate file* this is not possible.
ISTM though that this discussion is largely missing the point.
If you want to build COPY input from raw data, you have to be
prepared to do suitable quoting/escaping --- the rules are a bit
different from plain SQL quoting, but the concept is the same.
And if you do do that, you're immune from SQL injection in any case,
as is also true of plain old INSERTs. SQL injection is only a problem
for applications that fail to do quoting/escaping at all, or do it
incorrectly, and COPY is really not any safer if you blow that than
regular SQL is.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Ashesh Vashi | 2010-05-30 14:27:31 | Re: Installing version 8.4 |
| Previous Message | Abraham, Danny | 2010-05-30 13:31:45 | How do I elimitae ANY loggin to Windows Eventlog? 8.2.4. |