[R] Getting frustrated with RMySQL
Jeffrey Horner
jeff.horner at vanderbilt.edu
Tue Oct 14 23:45:21 CEST 2008
Barry Rowlingson wrote on 10/14/2008 04:40 PM:
> 2008/10/14 Jeffrey Horner <jeff.horner at vanderbilt.edu>:
>
>> I've found the best way to parameterize is using R's sprintf function. For
>> instance, the following query not only parameterizes the variable position,
>> but also the table name:
>>
>> fields <- dbGetQuery(con,sprintf("select field,elem_label from %s_meta
>> where field='%s'",inp$pnid,inp$field))
>>
>
> And thus a million web SQL injection exploits were born...
>
> Even if you do have control over the parameters to the query, you
> still have to worry about quotes or other nasty escape characters in
> your string ending up in the SQL. I hope little Bobby Tables isn't a
> subject in your analysis:
Thank goodness I don't do analysis, as I haven't the schooling. Barry,
I'm ashamed of you! I was hoping you'd at least offer an alternative.
>
> http://xkcd.com/327/
Okay, you are pardoned: I LOVE xkcd! Especially this one:
http://xkcd.com/349/
Best,
Jeff
--
http://biostat.mc.vanderbilt.edu/JeffreyHorner
More information about the R-help
mailing list