CSV Injection Examples and Formula-Safe Export
CSV injection happens when spreadsheet software treats a text value from a CSV file as a formula. The risky value may come from a public form, marketplace buyer name, support note, product title, coupon code, or any field that another person can type into.
Why it matters
CSV files look like plain text, but Excel, Google Sheets, and other spreadsheet tools can evaluate cells that begin with characters such as equals, plus, minus, or at signs. That behavior is useful for normal spreadsheet formulas, but it is not ideal when you are opening data from an unknown source.
Examples
| CSV value | Safer exported value | Reason |
|---|---|---|
=SUM(A1:A2) | '=SUM(A1:A2) | Keeps the value as text. |
+cmd | '+cmd | Prevents formula interpretation. |
@lookup | '@lookup | Stops the spreadsheet from treating it as a formula-like value. |
-DANGER | '-DANGER | Protects text that begins with a minus sign. |
-42 | -42 | Real negative numbers stay numeric. |
How Universal CSV Cleaner handles it
Formula-safe export is on by default. During export, the cleaner adds a leading apostrophe to risky text values so spreadsheet tools display them as text. The change is visible in the preview so you can decide whether the safer output is right for the file.
When to use it
- Use it for CSV files from forms, customer lists, marketplace exports, CRMs, or support tools.
- Use it before sharing a CSV with someone who may open it in Excel or Google Sheets.
- Turn it off only when you need exact raw values and trust the source file.
This page is practical CSV safety guidance, not legal or security consulting. Keep original exports when data matters, and test a small cleaned file before sending it to another workflow.
Make a formula-safe CSV