[R] Getting frustrated with RMySQL

Jeffrey Horner jeff.horner at vanderbilt.edu
Tue Oct 14 23:45:21 CEST 2008

Barry Rowlingson wrote on 10/14/2008 04:40 PM:
> 2008/10/14 Jeffrey Horner <jeff.horner at vanderbilt.edu>:
>> I've found the best way to parameterize is using R's sprintf function. For
>> instance, the following query not only parameterizes the variable position,
>> but also the table name:
>> fields  <- dbGetQuery(con,sprintf("select field,elem_label from %s_meta
>> where field='%s'",inp$pnid,inp$field))
>  And thus a million web SQL injection exploits were born...
>  Even if you do have control over the parameters to the query, you
> still have to worry about quotes or other nasty escape characters in
> your string ending up in the SQL. I hope little Bobby Tables isn't a
> subject in your analysis:

Thank goodness I don't do analysis, as I haven't the schooling. Barry, 
I'm ashamed of you! I was hoping you'd at least offer an alternative.
> http://xkcd.com/327/

Okay, you are pardoned: I LOVE xkcd! Especially this one:




More information about the R-help mailing list