On 09/01/2014 11:24 PM, swaroop wrote:
> Basically i am looking for the same robustness of preparedstmt@setString
>
> Can i use functions like quote_literal ? Any help is very much appreciated.
You don't need to. Feed the data in as-is. So long as it's valid CSV
(for CSV-format COPY) or meets the PostgreSQL spec for the input format
(for non-CSV) it's fine.
So for CSV format you must escape embedded quotes, otherwise you'll
produce invalid CSV and get an error on input. That's the worst that'll
happen though.
SQL injection is not possible in the data consumed by COPY.
(A truly tricky user could sneak malicious code into a table then trick
you into running a vulnerable PL/PgSQL procedure that used unsafe
dynamic SQL later, but that's also true with calling the function using
prepared statements.)
--
Craig Ringer http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Training & Services
