[R] Accessing R applications from Web

hadley wickham h.wickham at gmail.com
Thu Apr 19 18:43:52 CEST 2007


> I learned to do this by studying Alfredo Pontillo and Angelo Mineo's
> R-php (http://dssm.unipa.it/R-php). Specifically, look at the file
> pages/result/index.php  They have done lots of other good stuff in
> their project, like filtering dangerous commands - you would not want
> to let a user just type in any R code, because they could seriously
> damage your server.

This is incredibly hard to do with any programming language, and with
R in particular, as there are so many different ways of accessing a
function.

For example, try running the following on their demo site:

a <- get(paste("sys", "tem", sep=""))
a("ls /")

vs

system <- 5
print(system)

Not to mention the fact that the security check is only performed in
javascript, so could be trivially removed by turning off javascript or
performing the post directly.

Hadley



More information about the R-help mailing list