build_sql: Build a SQL string.
In dbplyr: A 'dplyr' Back End for Databases
build_sql R Documentation
Build a SQL string.
Description
This is a convenience function that should prevent sql injection attacks
(which in the context of dplyr are most likely to be accidental not
deliberate) by automatically escaping all expressions in the input, while
treating bare strings as sql. This is unlikely to prevent any serious
attack, but should make it unlikely that you produce invalid sql.
Usage
build_sql(..., .env = parent.frame(), con = sql_current_con())
Arguments
...
input to convert to SQL. Use sql() to preserve
user input as is (dangerous), and ident() to label user
input as sql identifiers (safe)
.env
the environment in which to evaluate the arguments. Should not
be needed in typical use.
con
database connection; used to select correct quoting characters.
Details
This function should be used only when generating SELECT clauses,
other high level queries, or for other syntax that has no R equivalent.
For individual function translations, prefer sql_expr().
Examples
con <- simulate_dbi()
build_sql("SELECT * FROM TABLE", con = con)
x <- "TABLE"
build_sql("SELECT * FROM ", x, con = con)
build_sql("SELECT * FROM ", ident(x), con = con)
build_sql("SELECT * FROM ", sql(x), con = con)
# http://xkcd.com/327/
name <- "Robert'); DROP TABLE Students;--"
build_sql("INSERT INTO Students (Name) VALUES (", name, ")", con = con)
dbplyr documentation built on May 29, 2024, 6:19 a.m.
R Package Documentation
Browse R Packages
We want your feedback!
Note that we can't provide technical support on individual packages. You should contact the package authors for that.
| build_sql | R Documentation |
Build a SQL string.
Description
This is a convenience function that should prevent sql injection attacks (which in the context of dplyr are most likely to be accidental not deliberate) by automatically escaping all expressions in the input, while treating bare strings as sql. This is unlikely to prevent any serious attack, but should make it unlikely that you produce invalid sql.
Usage
build_sql(..., .env = parent.frame(), con = sql_current_con())
Arguments
... |
input to convert to SQL. Use |
.env |
the environment in which to evaluate the arguments. Should not be needed in typical use. |
con |
database connection; used to select correct quoting characters. |
Details
This function should be used only when generating SELECT clauses,
other high level queries, or for other syntax that has no R equivalent.
For individual function translations, prefer sql_expr().
Examples
con <- simulate_dbi()
build_sql("SELECT * FROM TABLE", con = con)
x <- "TABLE"
build_sql("SELECT * FROM ", x, con = con)
build_sql("SELECT * FROM ", ident(x), con = con)
build_sql("SELECT * FROM ", sql(x), con = con)
# http://xkcd.com/327/
name <- "Robert'); DROP TABLE Students;--"
build_sql("INSERT INTO Students (Name) VALUES (", name, ")", con = con)
R Package Documentation
Browse R Packages
We want your feedback!
Note that we can't provide technical support on individual packages. You should contact the package authors for that.
Embedding an R snippet on your website
Add the following code to your website.
For more information on customizing the embed code, read Embedding Snippets.