build_sql

0th

Percentile

Build a SQL string.

This is a convenience function that should prevent sql injection attacks (which in the context of dplyr are most likely to be accidental not deliberate) by automatically escaping all expressions in the input, while treating bare strings as sql. This is unlikely to prevent any serious attack, but should make it unlikely that you produce invalid sql.

Usage
build_sql(..., .env = parent.frame(), con = sql_current_con())
Arguments
...
input to convert to SQL. Use sql() to preserve user input as is (dangerous), and ident() to label user input as sql identifiers (safe)
.env
the environment in which to evalute the arguments. Should not be needed in typical use.
con
database connection; used to select correct quoting characters.
Aliases
  • build_sql
Examples
build_sql("SELECT * FROM TABLE")
x <- "TABLE"
build_sql("SELECT * FROM ", x)
build_sql("SELECT * FROM ", ident(x))
build_sql("SELECT * FROM ", sql(x))

# http://xkcd.com/327/
name <- "Robert'); DROP TABLE Students;--"
build_sql("INSERT INTO Students (Name) VALUES (", name, ")")
Documentation reproduced from package dbplyr, version 0.0.0.9001, License: MIT + file LICENSE

Community examples

Looks like there are no examples yet.