README.md
In smbache/squr: Structured Query Utility for R
squr [/'skju:əɹ/]: Structured Query Utility for R
The squr (pronounced "skewer") package provides a set of tools
for managing structured query language (SQL) files in R projects.
It promotes the separation of logic and query scripts and eases the process
of reading, parameterizing, and composing SQL queries.
Example
In the following example the sql/query.sql file is read and
parameterized, and sent. There is no database connectivivty in squr,
this is left fully flexible and out of scope. There is a sq_send
function, but this is only meant as a wrapper for invoking some
actual query function.
# Simple example of a query function wrapper. This part varies depending
# on database, drivers, etc, but needs only setup once.
rodbc <- function(query)
{
ch <- RODBC::odbcDriverConnect("<connectionstring>")
on.exit(RODBC::odbcClose(ch))
RODBC::sqlQuery(ch, query)
}
# Example of reading file, setting a parameter value, and sending the query,
# using the `sq_*` ("skew") functions.
result <-
sq_file("sql/query") %>%
sq_set(Param = value) %>%
sq_send(.with = rodbc)
The corresponding query.sql file could look something like:
SELECT *
FROM TheTable
WHERE Param = @Param
Note that many arguments in squr are prefixed with a dot; this is to
avoid name clash with values in ... arguments.
Separation of logic and SQL Files
It can be argued that it is good practice to keep query scripts separate
from R code, and squr aims at
- cleaner R source code,
- queries that (mostly) work as-is both in R and in your SQL IDE,
- easy composability and reusability of SQL blocks
To use a separate query from R:
sql <- sq_file("path/query")
Note:
- the
.sql extension can be omitted,
- when packaged, the path is relative to the
installation folder.
For the rare occasion, there is also sq_text, which is the
way to add inline SQL. Both sq_file and sq_text produces
S3 objects which are character types with an additional class
sq to enable a few methods (print and +).
Insertion Blocks
INSERT statements can be constructed easily with sq_insert:
# Use all column names as-is:
sq_insert(.into = "TableName", .data = the_data)
# Manually specify values:
sq_insert(.into = "TableName", ~Foo, Bar = ~Baz , .data = the_data)
Unnamed values will use its R name as column name.
It is also possible to use an "insert parameter" in a query, which is then
set with sq_set_insert. These parameters are of the form @Label:insert:
-- Suppose the SQL query in query.sql is:
BEGIN TRANSACTION;
DECLARE @Deleted INT
DELETE
FROM TheTable
WHERE Foo = @Foo
SELECT @Deleted = @@ROWCOUNT
@NewObs:insert
SELECT @Deleted AS Deleted
, @@ROWCOUNT AS Inserted
COMMIT TRANSACTION;
Then the R code is, e.g.:
result <-
sq_file("sql/query") %>%
sq_set(Foo = Bar) %>%
sq_set_insert("NewObs", .into = "TableName", .data = the_data) %>%
sq_send(.with = rodbc)
The default behaviour is to treat the ... as names of values to insert.
To insert values directly/as-is use I() function:
sq_insert("Table", colnames(the_data), Ten = I(10), .data = head(the_data))
Includes
Sometimes it is useful to be able to use the same SQL snippets in several queries,
e.g. some Common Table Expressions (CTE) that are used several places.
For this purpose one can use "include parameters" of the form @Label:include and
the sq_set_include. Example:
-- shared.sql
;WITH SomeData AS
(
SELECT *
FROM SomeTable
WHERE This = @This
AND That = @That
)
-- specific.sql
@CTE:include
SELECT *
FROM OtherTable o
INNER JOIN SomeData s
ON o.This = s.That
sql <-
sq_file("specific") %>%
sq_set_include("CTE", "shared") %>%
sq_set(This = this, That = that)
Transactions
When combining files and chunks then it can be useful to wrap them
in a TRANSACTION. There's a small utility function for this:
update <- sq_file("update")
insert <- sq_file("insert")
result <-
sq_transaction(update, insert) %>%
sq_set(Param = value) %>%
sq_send(.with = rodbc)
Dynamic Table and Column Names
Since values are appropriately quoted, the default replacements
will not work for dynamically specifying e.g. column and table names.
However, you can use sq_value explicitely (this is the function used
internally to prepare a value for SQL):
-- The SQL file
SELECT [Date]
, [CustomerId]
, [CustomerName]
, @Feature
FROM Customers
WHERE Date BETWEEN @DateFrom AND @DateTo
# R
result <-
sq_file("customers") %>%
sq_set(DateFrom = Sys.Date() - 10,
DateTo = Sys.Date(),
Feature = sq_value("Turnover", quote = "[")) %>%
sq_send(.with = rodbc)
Alternative Parameter Specifications
It happens that the @Param notation is inadequate, e.g. when executing stored procedures:
--bad:
EXEC MyStoredProcedure @Param1 = @Param1, @Param2 = @Param2
Here, @Param* on both sides of the equality signs will be replaced! Therefore squr has
the convention: if @_Param exists (with the underscore) this will be replaced and @Param will
not. The R call is the same, i.e. one would use sq_set(Param = value).
--Good:
EXEC MyStoredProcedure @Param1 = @_Param1, @Param2 = @_Param2
SQL to be Ignored
To ignore certain parts of an SQL script in R, enclose it in
--rignore and --end:
--rignore
DECLARE @DateFrom DATE = '2016-01-01'
DECLARE @DateTo DATE = '2016-06-30'
--end
SELECT *
FROM Customers
WHERE Date BETWEEN @DateFrom AND @DateTo
The above then is a complete working example in an SQL IDE, and the
variable declarations are ignored in R.
A note on SQL injection
The squr::sq_value function uses DBI::sqlInterpolate to parse values.
However, whenever the values
originate from user input (e.g. in a Shiny/web application, or web services, etc),
approprite precautions should still be taken (type checking, whitelisting, etc.)
OWASP has some good guidelines
on how to prevent SQL injection in your applications.
See also
A similar (but different) project for Clojure (with ports for some other languages) by @krisajenkins is Yesql.
smbache/squr documentation built on May 15, 2021, 3:45 a.m.
R Package Documentation
Browse R Packages
We want your feedback!
Note that we can't provide technical support on individual packages. You should contact the package authors for that.
squr [/'skju:əɹ/]: Structured Query Utility for R
The squr (pronounced "skewer") package provides a set of tools
for managing structured query language (SQL) files in R projects.
It promotes the separation of logic and query scripts and eases the process
of reading, parameterizing, and composing SQL queries.
Example
In the following example the sql/query.sql file is read and
parameterized, and sent. There is no database connectivivty in squr,
this is left fully flexible and out of scope. There is a sq_send
function, but this is only meant as a wrapper for invoking some
actual query function.
# Simple example of a query function wrapper. This part varies depending
# on database, drivers, etc, but needs only setup once.
rodbc <- function(query)
{
ch <- RODBC::odbcDriverConnect("<connectionstring>")
on.exit(RODBC::odbcClose(ch))
RODBC::sqlQuery(ch, query)
}
# Example of reading file, setting a parameter value, and sending the query,
# using the `sq_*` ("skew") functions.
result <-
sq_file("sql/query") %>%
sq_set(Param = value) %>%
sq_send(.with = rodbc)
The corresponding query.sql file could look something like:
SELECT *
FROM TheTable
WHERE Param = @Param
Note that many arguments in squr are prefixed with a dot; this is to
avoid name clash with values in ... arguments.
Separation of logic and SQL Files
It can be argued that it is good practice to keep query scripts separate
from R code, and squr aims at
- cleaner R source code,
- queries that (mostly) work as-is both in R and in your SQL IDE,
- easy composability and reusability of SQL blocks
To use a separate query from R:
sql <- sq_file("path/query")
Note:
- the
.sqlextension can be omitted, - when packaged, the path is relative to the
installation folder.
For the rare occasion, there is also sq_text, which is the
way to add inline SQL. Both sq_file and sq_text produces
S3 objects which are character types with an additional class
sq to enable a few methods (print and +).
Insertion Blocks
INSERT statements can be constructed easily with sq_insert:
# Use all column names as-is:
sq_insert(.into = "TableName", .data = the_data)
# Manually specify values:
sq_insert(.into = "TableName", ~Foo, Bar = ~Baz , .data = the_data)
Unnamed values will use its R name as column name.
It is also possible to use an "insert parameter" in a query, which is then
set with sq_set_insert. These parameters are of the form @Label:insert:
-- Suppose the SQL query in query.sql is:
BEGIN TRANSACTION;
DECLARE @Deleted INT
DELETE
FROM TheTable
WHERE Foo = @Foo
SELECT @Deleted = @@ROWCOUNT
@NewObs:insert
SELECT @Deleted AS Deleted
, @@ROWCOUNT AS Inserted
COMMIT TRANSACTION;
Then the R code is, e.g.:
result <-
sq_file("sql/query") %>%
sq_set(Foo = Bar) %>%
sq_set_insert("NewObs", .into = "TableName", .data = the_data) %>%
sq_send(.with = rodbc)
The default behaviour is to treat the ... as names of values to insert.
To insert values directly/as-is use I() function:
sq_insert("Table", colnames(the_data), Ten = I(10), .data = head(the_data))
Includes
Sometimes it is useful to be able to use the same SQL snippets in several queries,
e.g. some Common Table Expressions (CTE) that are used several places.
For this purpose one can use "include parameters" of the form @Label:include and
the sq_set_include. Example:
-- shared.sql
;WITH SomeData AS
(
SELECT *
FROM SomeTable
WHERE This = @This
AND That = @That
)
-- specific.sql
@CTE:include
SELECT *
FROM OtherTable o
INNER JOIN SomeData s
ON o.This = s.That
sql <-
sq_file("specific") %>%
sq_set_include("CTE", "shared") %>%
sq_set(This = this, That = that)
Transactions
When combining files and chunks then it can be useful to wrap them
in a TRANSACTION. There's a small utility function for this:
update <- sq_file("update")
insert <- sq_file("insert")
result <-
sq_transaction(update, insert) %>%
sq_set(Param = value) %>%
sq_send(.with = rodbc)
Dynamic Table and Column Names
Since values are appropriately quoted, the default replacements
will not work for dynamically specifying e.g. column and table names.
However, you can use sq_value explicitely (this is the function used
internally to prepare a value for SQL):
-- The SQL file
SELECT [Date]
, [CustomerId]
, [CustomerName]
, @Feature
FROM Customers
WHERE Date BETWEEN @DateFrom AND @DateTo
# R
result <-
sq_file("customers") %>%
sq_set(DateFrom = Sys.Date() - 10,
DateTo = Sys.Date(),
Feature = sq_value("Turnover", quote = "[")) %>%
sq_send(.with = rodbc)
Alternative Parameter Specifications
It happens that the @Param notation is inadequate, e.g. when executing stored procedures:
--bad:
EXEC MyStoredProcedure @Param1 = @Param1, @Param2 = @Param2
Here, @Param* on both sides of the equality signs will be replaced! Therefore squr has
the convention: if @_Param exists (with the underscore) this will be replaced and @Param will
not. The R call is the same, i.e. one would use sq_set(Param = value).
--Good:
EXEC MyStoredProcedure @Param1 = @_Param1, @Param2 = @_Param2
SQL to be Ignored
To ignore certain parts of an SQL script in R, enclose it in
--rignore and --end:
--rignore
DECLARE @DateFrom DATE = '2016-01-01'
DECLARE @DateTo DATE = '2016-06-30'
--end
SELECT *
FROM Customers
WHERE Date BETWEEN @DateFrom AND @DateTo
The above then is a complete working example in an SQL IDE, and the variable declarations are ignored in R.
A note on SQL injection
The squr::sq_value function uses DBI::sqlInterpolate to parse values.
However, whenever the values
originate from user input (e.g. in a Shiny/web application, or web services, etc),
approprite precautions should still be taken (type checking, whitelisting, etc.)
OWASP has some good guidelines on how to prevent SQL injection in your applications.
See also
A similar (but different) project for Clojure (with ports for some other languages) by @krisajenkins is Yesql.
R Package Documentation
Browse R Packages
We want your feedback!
Note that we can't provide technical support on individual packages. You should contact the package authors for that.
Embedding an R snippet on your website
Add the following code to your website.
For more information on customizing the embed code, read Embedding Snippets.