Is postgres COPY tablename FROM STDIN with csv at risk of SQL injection?

Question

I am using python and pyscopg2.

If I run code below, the user provided csv file will be open and read. Then the content contains in csv file will be transferred to database.
I want to know if the code is at risk of SQL injection when some unexpected words or symbols contain in the csv file.

conn_config = dict(port="5432", dbname="test", password="test")
with psycopg2.connection(**conn_config) as conn:
    with conn.cursor() as cur:
        with open("test.csv") as f:
            cur.copy_expert(sql="COPY test FROM STDIN", file=f)

I read some documents of psycopg2 and postgres, but I did not found the result.
Please know that English is not my native language, and I may make some confusing mistakes

klin klin · Accepted Answer · 2021-02-21T19:27:23

The command simply copies the data into the table. No part of the copied data may be interpreted as an SQL command, so SQL injection is out of the question. Additional security is the rigid CSV format. If the data contains extra (redundant) writes, the command will simply fail. The only risk of the command operation may be strange contents in the table.

Is postgres COPY tablename FROM STDIN with csv at risk of SQL injection?

1 Answers