Re: [R] Getting frustrated with RMySQL

Tue, 14 Oct 2008 15:07:25 -0700 

Thanks Jeffrey and Barry,

I like the humour.  I didn't know about xkcd.com, but the humour on it is
familiar.  I saw little Bobby Tables what seems like eons ago, when I first
started cgi programming.

Anyway, I recognized the risk of an injection attack with this use of
sprint, but in this case, there is no risk because all the data used is
coming from previously sanitized data in our DB, and the parameters in this
case will invariably be integers.

Thanks again

Ted



Jeffrey Horner wrote:
> 
> Barry Rowlingson wrote on 10/14/2008 04:40 PM:
>> 2008/10/14 Jeffrey Horner <[EMAIL PROTECTED]>:
>> 
>>> I've found the best way to parameterize is using R's sprintf function.
>>> For
>>> instance, the following query not only parameterizes the variable
>>> position,
>>> but also the table name:
>>>
>>> fields  <- dbGetQuery(con,sprintf("select field,elem_label from %s_meta
>>> where field='%s'",inp$pnid,inp$field))
>>>
>> 
>>  And thus a million web SQL injection exploits were born...
>> 
>>  Even if you do have control over the parameters to the query, you
>> still have to worry about quotes or other nasty escape characters in
>> your string ending up in the SQL. I hope little Bobby Tables isn't a
>> subject in your analysis:
> 
> Thank goodness I don't do analysis, as I haven't the schooling. Barry, 
> I'm ashamed of you! I was hoping you'd at least offer an alternative.
>> 
>> http://xkcd.com/327/
> 
> Okay, you are pardoned: I LOVE xkcd! Especially this one:
> 
> http://xkcd.com/349/
> 
> Best,
> 
> Jeff
> -- 
> http://biostat.mc.vanderbilt.edu/JeffreyHorner
> 
> ______________________________________________
> R-help@r-project.org mailing list
> https://stat.ethz.ch/mailman/listinfo/r-help
> PLEASE do read the posting guide
> http://www.R-project.org/posting-guide.html
> and provide commented, minimal, self-contained, reproducible code.
> 
> 

-- 
View this message in context: 
http://www.nabble.com/Getting-frustrated-with-RMySQL-tp19980592p19983073.html
Sent from the R help mailing list archive at Nabble.com.

______________________________________________
R-help@r-project.org mailing list
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.

Reply via email to