sqlInterpolate {DBI}R Documentation

Safely interpolate values into an SQL string.

Description

Safely interpolate values into an SQL string.

Usage

sqlInterpolate(`_con`, `_sql`, ...)

## S4 method for signature 'DBIConnection'
sqlInterpolate(`_con`, `_sql`, ...)

Arguments

_con

A database connection.

...

Named values to interpolate into string. All strings will be first escaped with dbQuoteString prior to interpolation to protect against SQL interpolation attacks.

'_sql'

A SQL string containing containing variables to interpolate. Variables must start with a question mark and can be any valid R identifier, i.e. it must start with a letter or ., and be followed by a letter, digit, . or _.

Backend authors

If you are implementing a SQL backend with non-ANSI quoting rules, you'll need to implement a method for sqlParseVariables. Failure to do so does not expose you to SQL injection attacks, but will (rarely) result in errors matching supplied and interpolated variables.

Examples

sql <- "SELECT * FROM X WHERE name = ?name"
sqlInterpolate(ANSI(), sql, name = "Hadley")
# This is safe because the single quote has been double escaped
sqlInterpolate(ANSI(), sql, name = "H'); DROP TABLE--;")

[Package DBI version 0.4-1 Index]