[R] Getting frustrated with RMySQL

Barry Rowlingson b.rowlingson at lancaster.ac.uk
Tue Oct 14 23:40:04 CEST 2008


2008/10/14 Jeffrey Horner <jeff.horner at vanderbilt.edu>:

> I've found the best way to parameterize is using R's sprintf function. For
> instance, the following query not only parameterizes the variable position,
> but also the table name:
>
> fields  <- dbGetQuery(con,sprintf("select field,elem_label from %s_meta
> where field='%s'",inp$pnid,inp$field))
>

 And thus a million web SQL injection exploits were born...

 Even if you do have control over the parameters to the query, you
still have to worry about quotes or other nasty escape characters in
your string ending up in the SQL. I hope little Bobby Tables isn't a
subject in your analysis:

http://xkcd.com/327/

 Barry



More information about the R-help mailing list