sqlInterpolate {DBI} | R Documentation |
Safely interpolate values into an SQL string.
sqlInterpolate(`_con`, `_sql`, ...) ## S4 method for signature 'DBIConnection' sqlInterpolate(`_con`, `_sql`, ...)
_con |
A database connection. |
... |
Named values to interpolate into string. All strings
will be first escaped with |
'_sql' |
A SQL string containing containing variables to interpolate.
Variables must start with a question mark and can be any valid R
identifier, i.e. it must start with a letter or |
If you are implementing a SQL backend with non-ANSI quoting rules, you'll
need to implement a method for sqlParseVariables
. Failure to
do so does not expose you to SQL injection attacks, but will (rarely) result
in errors matching supplied and interpolated variables.
sql <- "SELECT * FROM X WHERE name = ?name" sqlInterpolate(ANSI(), sql, name = "Hadley") # This is safe because the single quote has been double escaped sqlInterpolate(ANSI(), sql, name = "H'); DROP TABLE--;")