[R] Accessing R applications from Web

Elio Mineo mineoeli at unipa.it
Fri Apr 20 13:08:01 CEST 2007


Il giorno gio, 19/04/2007 alle 11.43 -0500, hadley wickham ha scritto:
> > I learned to do this by studying Alfredo Pontillo and Angelo Mineo's
> > R-php (http://dssm.unipa.it/R-php). Specifically, look at the file
> > pages/result/index.php  They have done lots of other good stuff in
> > their project, like filtering dangerous commands - you would not want
> > to let a user just type in any R code, because they could seriously
> > damage your server.
> 
> This is incredibly hard to do with any programming language, and with
> R in particular, as there are so many different ways of accessing a
> function.
> 

Yes, it is really hard.

> For example, try running the following on their demo site:
> 
> a <- get(paste("sys", "tem", sep=""))
> a("ls /")
> 
> vs
> 
> system <- 5
> print(system)
> 
> Not to mention the fact that the security check is only performed in
> javascript, so could be trivially removed by turning off javascript or
> performing the post directly.
> 
If you turn off javascript, R-php doesn't work.

> Hadley
> 
Elio



More information about the R-help mailing list