sqlInterpolate: Safely interpolate values into an SQL string.
In rstats-db/SQL: Safely Generate Common SQL Strings
Description
Usage
Arguments
Backend authors
Examples
Description
Safely interpolate values into an SQL string.
Usage
1
2
3
4
sqlInterpolate(`_con`, `_sql`, ...)
## S4 method for signature 'DBIConnection'
sqlInterpolate(`_con`, `_sql`, ...)
Arguments
_con
A database connection.
...
Named values to interpolate into string. All strings
will be first escaped with dbQuoteString prior
to interpolation to protect against SQL interpolation attacks.
'_sql'
A SQL string containing containing variables to interpolate.
Variables must start with a question mark and can be any valid R
identifier, i.e. it must start with a letter or ., and be followed
by a letter, digit, . or _.
Backend authors
If you are implementing a SQL backend with non-ANSI quoting rules, you'll
need to implement a method for sqlParseVariables. Failure to
do so does not expose you to SQL injection attacks, but will (rarely) result
in errors matching supplied and interpolated variables.
Examples
1
2
3
4
sql <- "SELECT * FROM X WHERE name = ?name"
sqlInterpolate(ANSI(), sql, name = "Hadley")
# This is safe because the single quote has been double escaped
sqlInterpolate(ANSI(), sql, name = "H'); DROP TABLE--;")
rstats-db/SQL documentation built on May 28, 2019, 3:35 a.m.
R Package Documentation
Browse R Packages
We want your feedback!
Note that we can't provide technical support on individual packages. You should contact the package authors for that.
Description Usage Arguments Backend authors Examples
Description
Safely interpolate values into an SQL string.
Usage
1 2 3 4 | sqlInterpolate(`_con`, `_sql`, ...)
## S4 method for signature 'DBIConnection'
sqlInterpolate(`_con`, `_sql`, ...)
|
Arguments
_con |
A database connection. |
... |
Named values to interpolate into string. All strings
will be first escaped with |
'_sql' |
A SQL string containing containing variables to interpolate.
Variables must start with a question mark and can be any valid R
identifier, i.e. it must start with a letter or |
Backend authors
If you are implementing a SQL backend with non-ANSI quoting rules, you'll
need to implement a method for sqlParseVariables. Failure to
do so does not expose you to SQL injection attacks, but will (rarely) result
in errors matching supplied and interpolated variables.
Examples
1 2 3 4 | sql <- "SELECT * FROM X WHERE name = ?name"
sqlInterpolate(ANSI(), sql, name = "Hadley")
# This is safe because the single quote has been double escaped
sqlInterpolate(ANSI(), sql, name = "H'); DROP TABLE--;")
|
R Package Documentation
Browse R Packages
We want your feedback!
Note that we can't provide technical support on individual packages. You should contact the package authors for that.
Embedding an R snippet on your website
Add the following code to your website.
For more information on customizing the embed code, read Embedding Snippets.