Barry Rowlingson wrote on 10/14/2008 04:40 PM:
2008/10/14 Jeffrey Horner <[EMAIL PROTECTED]>:I've found the best way to parameterize is using R's sprintf function. For instance, the following query not only parameterizes the variable position, but also the table name: fields <- dbGetQuery(con,sprintf("select field,elem_label from %s_meta where field='%s'",inp$pnid,inp$field))And thus a million web SQL injection exploits were born... Even if you do have control over the parameters to the query, you still have to worry about quotes or other nasty escape characters in your string ending up in the SQL. I hope little Bobby Tables isn't a subject in your analysis:
Thank goodness I don't do analysis, as I haven't the schooling. Barry, I'm ashamed of you! I was hoping you'd at least offer an alternative.
http://xkcd.com/327/
Okay, you are pardoned: I LOVE xkcd! Especially this one: http://xkcd.com/349/ Best, Jeff -- http://biostat.mc.vanderbilt.edu/JeffreyHorner ______________________________________________ R-help@r-project.org mailing list https://stat.ethz.ch/mailman/listinfo/r-help PLEASE do read the posting guide http://www.R-project.org/posting-guide.html and provide commented, minimal, self-contained, reproducible code.
