SQL

0th

Percentile

SQL quoting

This set of classes and generics make it possible to flexibly deal with SQL escaping needs. By default, any user supplied input to a query should be escaped using either dbQuoteIdentifier or dbQuoteString depending on whether it refers to a table or variable name, or is a literal string. These functions return an object of the SQL class, which tells DBI functions that a character string does not need to be escaped anymore, to prevent double escaping. The SQL class has associated the SQL() constructor function.

Usage
SQL(x)
dbQuoteIdentifier(conn, x, ...)
dbQuoteString(conn, x, ...)
Arguments
x
A character vector to label as being escaped SQL.
conn
A subclass of DBIConnection, representing an active connection to an DBMS.
...
Other arguments passed on to methods. Not otherwise used.
Value

An object of class SQL.

Implementation notes

DBI provides default generics for SQL-92 compatible quoting. If the database uses a different convention, you will need to provide your own methods. Note that because of the way that S4 dispatch finds methods and because SQL inherits from character, if you implement (e.g.) a method for dbQuoteString(MyConnection, character), you will also need to implement dbQuoteString(MyConnection, SQL) - this should simply return x unchanged. If you implement your own method, make sure to convert NA to NULL (unquoted).

See Also

Other DBIResult generics: DBIResult-class, dbBind, dbClearResult, dbColumnInfo, dbFetch, dbGetInfo, dbGetRowCount, dbGetRowsAffected, dbGetStatement, dbHasCompleted, dbIsValid

Other DBIResult generics: DBIResult-class, dbBind, dbClearResult, dbColumnInfo, dbFetch, dbGetInfo, dbGetRowCount, dbGetRowsAffected, dbGetStatement, dbHasCompleted, dbIsValid

Aliases
  • SQL
  • SQL-class
  • dbQuoteIdentifier
  • dbQuoteString
Examples
library(DBI) # Quoting ensures that arbitrary input is safe for use in a query name <- "Robert'); DROP TABLE Students;--" dbQuoteString(ANSI(), name) dbQuoteIdentifier(ANSI(), name) # NAs become NULL dbQuoteString(ANSI(), c("x", NA)) # SQL vectors are always passed through as is var_name <- SQL("select") var_name dbQuoteIdentifier(ANSI(), var_name) dbQuoteString(ANSI(), var_name) # This mechanism is used to prevent double escaping dbQuoteString(ANSI(), dbQuoteString(ANSI(), name))
Documentation reproduced from package DBI, version 0.5-1, License: LGPL (>= 2)

Community examples

Looks like there are no examples yet.