Quote literal values
Call these methods to generate a string that is suitable for use in a query as a literal value of the correct type, to make sure that you generate valid SQL and protect against SQL injection attacks.
dbQuoteLiteral(conn, x, ...)
conn |
A DBIConnection object, as returned by
|
x |
A vector to quote as string. |
... |
Other arguments passed on to methods. |
dbQuoteLiteral() returns an object that can be coerced to character,
of the same length as the input.
For an empty character vector this function returns a length-0 object.
The returned expression can be used in a SELECT ... query,
and the value of
dbGetQuery(paste0("SELECT ", dbQuoteLiteral(x)))[[1]]
must be equal to x
for any scalar
integer,
numeric,
string,
and logical.
If x is NA, the result must merely satisfy is.na().
The literals "NA" or "NULL" are not treated specially.
NA should be translated to an unquoted SQL NULL,
so that the query SELECT * FROM (SELECT 1) a WHERE ... IS NULL
returns one row.
Passing a list
for the x argument raises an error.
Other DBIResult generics:
DBIResult-class,
dbBind(),
dbClearResult(),
dbColumnInfo(),
dbFetch(),
dbGetInfo(),
dbGetRowCount(),
dbGetRowsAffected(),
dbGetStatement(),
dbHasCompleted(),
dbIsReadOnly(),
dbIsValid(),
dbQuoteIdentifier(),
dbQuoteString(),
dbUnquoteIdentifier()
# Quoting ensures that arbitrary input is safe for use in a query
name <- "Robert'); DROP TABLE Students;--"
dbQuoteLiteral(ANSI(), name)
# NAs become NULL
dbQuoteLiteral(ANSI(), c(1:3, NA))
# Logicals become integers by default
dbQuoteLiteral(ANSI(), c(TRUE, FALSE, NA))
# Raw vectors become hex strings by default
dbQuoteLiteral(ANSI(), list(as.raw(1:3), NULL))
# SQL vectors are always passed through as is
var_name <- SQL("select")
var_name
dbQuoteLiteral(ANSI(), var_name)
# This mechanism is used to prevent double escaping
dbQuoteLiteral(ANSI(), dbQuoteLiteral(ANSI(), name))Please choose more modern alternatives, such as Google Chrome or Mozilla Firefox.