1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
|
% Generated by roxygen2: do not edit by hand
% Please edit documentation in R/dbQuoteString.R
\name{dbQuoteString}
\alias{dbQuoteString}
\title{Quote literal strings}
\usage{
dbQuoteString(conn, x, ...)
}
\arguments{
\item{conn}{A \linkS4class{DBIConnection} object, as returned by
\code{\link[=dbConnect]{dbConnect()}}.}
\item{x}{A character vector to quote as string.}
\item{...}{Other arguments passed on to methods.}
}
\value{
\code{dbQuoteString()} returns an object that can be coerced to \link{character},
of the same length as the input.
For an empty character vector this function returns a length-0 object.
When passing the returned object again to \code{dbQuoteString()}
as \code{x}
argument, it is returned unchanged.
Passing objects of class \link{SQL} should also return them unchanged.
(For backends it may be most convenient to return \link{SQL} objects
to achieve this behavior, but this is not required.)
}
\description{
Call this method to generate a string that is suitable for
use in a query as a string literal, to make sure that you
generate valid SQL and protect against SQL injection attacks.
\Sexpr[results=rd,stage=render]{DBI:::methods_as_rd("dbQuoteString")}
}
\section{Failure modes}{
Passing a numeric,
integer,
logical,
or raw vector,
or a list
for the \code{x} argument raises an error.
}
\section{Specification}{
The returned expression can be used in a \verb{SELECT ...} query,
and for any scalar character \code{x} the value of
\code{dbGetQuery(paste0("SELECT ", dbQuoteString(x)))[[1]]}
must be identical to \code{x},
even if \code{x} contains
spaces,
tabs,
quotes (single
or double),
backticks,
or newlines
(in any combination)
or is itself the result of a \code{dbQuoteString()} call coerced back to
character (even repeatedly).
If \code{x} is \code{NA}, the result must merely satisfy \code{\link[=is.na]{is.na()}}.
The strings \code{"NA"} or \code{"NULL"} are not treated specially.
\code{NA} should be translated to an unquoted SQL \code{NULL},
so that the query \verb{SELECT * FROM (SELECT 1) a WHERE ... IS NULL}
returns one row.
}
\examples{
# Quoting ensures that arbitrary input is safe for use in a query
name <- "Robert'); DROP TABLE Students;--"
dbQuoteString(ANSI(), name)
# NAs become NULL
dbQuoteString(ANSI(), c("x", NA))
# SQL vectors are always passed through as is
var_name <- SQL("select")
var_name
dbQuoteString(ANSI(), var_name)
# This mechanism is used to prevent double escaping
dbQuoteString(ANSI(), dbQuoteString(ANSI(), name))
}
\seealso{
Other DBIResult generics:
\code{\link{DBIResult-class}},
\code{\link{dbBind}()},
\code{\link{dbClearResult}()},
\code{\link{dbColumnInfo}()},
\code{\link{dbFetch}()},
\code{\link{dbGetInfo}()},
\code{\link{dbGetRowCount}()},
\code{\link{dbGetRowsAffected}()},
\code{\link{dbGetStatement}()},
\code{\link{dbHasCompleted}()},
\code{\link{dbIsReadOnly}()},
\code{\link{dbIsValid}()},
\code{\link{dbQuoteLiteral}()}
}
\concept{DBIResult generics}
|
