@@ -128,9 +128,12 @@ public struct PostgresCopyFromFormat: Sendable {
128128///
129129/// An empty `columns` array signifies that no columns should be specified in the query and that all columns will be
130130/// copied by the caller.
131+ ///
132+ /// - Important: The table and column names are inserted into the `COPY FROM` query as passed and might thus be
133+ /// susceptible to SQL injection. Ensure no untrusted data is contained in these strings.
131134private func buildCopyFromQuery(
132- table: StaticString ,
133- columns: [ StaticString ] = [ ] ,
135+ table: String ,
136+ columns: [ String ] = [ ] ,
134137 format: PostgresCopyFromFormat
135138) -> PostgresQuery {
136139 var query = """
@@ -170,11 +173,11 @@ extension PostgresConnection {
170173 /// Throw an error from the closure to fail the data transfer. The error thrown by the closure will be rethrown
171174 /// by the `copyFrom` function.
172175 ///
173- /// - Note : The table and column names are inserted into the SQL query verbatim. They are forced to be compile-time
174- /// specified to avoid runtime SQL injection attacks .
176+ /// - Important : The table and column names are inserted into the `COPY FROM` query as passed and might thus be
177+ /// susceptible to SQL injection. Ensure no untrusted data is contained in these strings .
175178 public func copyFrom(
176- table: StaticString ,
177- columns: [ StaticString ] = [ ] ,
179+ table: String ,
180+ columns: [ String ] = [ ] ,
178181 format: PostgresCopyFromFormat = . text( . init( ) ) ,
179182 logger: Logger ,
180183 isolation: isolated ( any Actor ) ? = #isolation,
0 commit comments