dbQuoteString: Quote literal strings

Description Usage Arguments Value Specification See Also Examples

Description

Call this method to generate a string that is suitable for use in a query as a string literal, to make sure that you generate valid SQL and protect against SQL injection attacks.

\Sexpr[results=rd,stage=render]{DBI:::methods_as_rd("dbQuoteString")}

Usage

1
dbQuoteString(conn, x, ...)

Arguments

conn

A subclass of DBIConnection, representing an active connection to an DBMS.

x

A character vector to quote as string.

...

Other arguments passed on to methods.

Value

dbQuoteString() returns an object that can be coerced to character, of the same length as the input. For an empty character vector this function returns a length-0 object.

When passing the returned object again to dbQuoteString() as x argument, it is returned unchanged. Passing objects of class SQL should also return them unchanged. (For backends it may be most convenient to return SQL objects to achieve this behavior, but this is not required.)

Specification

The returned expression can be used in a SELECT ... query, and for any scalar character x the value of dbGetQuery(paste0("SELECT ", dbQuoteString(x)))[[1]] must be identical to x, even if x contains spaces, tabs, quotes (single or double), backticks, or newlines (in any combination) or is itself the result of a dbQuoteString() call coerced back to character (even repeatedly). If x is NA, the result must merely satisfy is.na(). The strings "NA" or "NULL" are not treated specially.

NA should be translated to an unquoted SQL NULL, so that the query SELECT * FROM (SELECT 1) a WHERE ... IS NULL returns one row.

Passing a numeric, integer, logical, or raw vector, or a list for the x argument raises an error.

See Also

Other DBIResult generics: DBIResult-class, dbBind, dbClearResult, dbColumnInfo, dbFetch, dbGetInfo, dbGetRowCount, dbGetRowsAffected, dbGetStatement, dbHasCompleted, dbIsReadOnly, dbIsValid, dbQuoteIdentifier, dbQuoteLiteral, dbUnquoteIdentifier

Examples

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
# Quoting ensures that arbitrary input is safe for use in a query
name <- "Robert'); DROP TABLE Students;--"
dbQuoteString(ANSI(), name)

# NAs become NULL
dbQuoteString(ANSI(), c("x", NA))

# SQL vectors are always passed through as is
var_name <- SQL("select")
var_name
dbQuoteString(ANSI(), var_name)

# This mechanism is used to prevent double escaping
dbQuoteString(ANSI(), dbQuoteString(ANSI(), name))

Example output

<SQL> 'Robert''); DROP TABLE Students;--'
<SQL> 'x'
<SQL> NULL
<SQL> select
<SQL> select
<SQL> 'Robert''); DROP TABLE Students;--'

DBI documentation built on May 2, 2018, 5:04 p.m.