Last chance! 50% off unlimited learning
Sale ends in
dbQuoteIdentifier
or dbQuoteString
depending on whether it refers to a table or variable name, or is a literal
string.
These functions return an object of the SQL
class,
which tells DBI functions that a character string does not need to be escaped
anymore, to prevent double escaping.
The SQL
class has associated the SQL()
constructor function.
SQL(x)
dbQuoteIdentifier(conn, x, ...)
dbQuoteString(conn, x, ...)
DBIConnection
, representing
an active connection to an DBMS.SQL
.
dbQuoteString(MyConnection, character)
, you will also need to
implement dbQuoteString(MyConnection, SQL)
- this should simply
return x
unchanged. If you implement your own method, make sure to convert NA to NULL (unquoted).DBIResult-class
,
dbBind
, dbClearResult
,
dbColumnInfo
, dbFetch
,
dbGetInfo
, dbGetRowCount
,
dbGetRowsAffected
,
dbGetStatement
,
dbHasCompleted
, dbIsValid
Other DBIResult generics: DBIResult-class
,
dbBind
, dbClearResult
,
dbColumnInfo
, dbFetch
,
dbGetInfo
, dbGetRowCount
,
dbGetRowsAffected
,
dbGetStatement
,
dbHasCompleted
, dbIsValid
# Quoting ensures that arbitrary input is safe for use in a query
name <- "Robert'); DROP TABLE Students;--"
dbQuoteString(ANSI(), name)
dbQuoteIdentifier(ANSI(), name)
# NAs become NULL
dbQuoteString(ANSI(), c("x", NA))
# SQL vectors are always passed through as is
var_name <- SQL("select")
var_name
dbQuoteIdentifier(ANSI(), var_name)
dbQuoteString(ANSI(), var_name)
# This mechanism is used to prevent double escaping
dbQuoteString(ANSI(), dbQuoteString(ANSI(), name))
Run the code above in your browser using DataLab