2008/10/14 Jeffrey Horner <[EMAIL PROTECTED]>:
> I've found the best way to parameterize is using R's sprintf function. For
> instance, the following query not only parameterizes the variable position,
> but also the table name:
>
> fields <- dbGetQuery(con,sprintf("select field,elem_label from %s_meta
> where field='%s'",inp$pnid,inp$field))
>
And thus a million web SQL injection exploits were born...
Even if you do have control over the parameters to the query, you
still have to worry about quotes or other nasty escape characters in
your string ending up in the SQL. I hope little Bobby Tables isn't a
subject in your analysis:
http://xkcd.com/327/
Barry
______________________________________________
R-help@r-project.org mailing list
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.
