SQL {DBI} | R Documentation |
This set of classes and generics make it possible to flexibly deal with SQL
escaping needs. By default, any user supplied input to a query should be
escaped using either dbQuoteIdentifier
or dbQuoteString
depending on whether it refers to a table or variable name, or is a literal
string.
SQL(x) dbQuoteIdentifier(conn, x, ...) dbQuoteString(conn, x, ...)
x |
A character vector to label as being escaped SQL. |
conn |
A subclass of |
... |
Other arguments passed on to methods. Not otherwise used. |
The SQL class has associated SQL()
constructor function. This class
is used to prevent double escaping of SQL strings, and to make it possible
to tell DBI functions that you've done the escaping yourself.
DBI provides default methods for SQL-92 compatible quoting. If the database
uses a different convention, you will need to provide your own methods.
Note that because of the way that S4 dispatch finds methods and because
SQL inherits from character, if you implement (e.g.) a method for
dbQuoteString(MyConnection, character)
, you will also need to
implement dbQuoteString(MyConnection, SQL)
- this should simply
return x
unchanged.
If you implement your own method, make sure to convert NA to NULL (unquoted).
# Quoting ensures that arbitrary input is safe for use in a query name <- "Robert'); DROP TABLE Students;--" dbQuoteString(ANSI(), name) dbQuoteIdentifier(ANSI(), name) # NAs become NULL dbQuoteString(ANSI(), c("x", NA)) # SQL vectors are always passed through as is var_name <- SQL("select") var_name dbQuoteIdentifier(ANSI(), var_name) dbQuoteString(ANSI(), var_name) # This mechanism is used to prevent double escaping dbQuoteString(ANSI(), dbQuoteString(ANSI(), name))