On 09/01/2014 11:24 PM, swaroop wrote: > Basically i am looking for the same robustness of preparedstmt@setString > > Can i use functions like quote_literal ? Any help is very much appreciated. You don't need to. Feed the data in as-is. So long as it's valid CSV (for CSV-format COPY) or meets the PostgreSQL spec for the input format (for non-CSV) it's fine. So for CSV format you must escape embedded quotes, otherwise you'll produce invalid CSV and get an error on input. That's the worst that'll happen though. SQL injection is not possible in the data consumed by COPY. (A truly tricky user could sneak malicious code into a table then trick you into running a vulnerable PL/PgSQL procedure that used unsafe dynamic SQL later, but that's also true with calling the function using prepared statements.) -- Craig Ringer http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Training & Services -- Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
