Question
I am bridging R and psql, wish to remove vulnerability to sql injection. Looking at documentation, I had hoped that:
https://stackoverflow.com/questions/19694479
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianpostgresqlExecStatement(con, statement, params, ...)
Would allow use of something like:
postgresqlExecStatement(con, "DELETE FROM foos WHERE id = ? AND baz = ?", c(1, "bar"))
But unfortunately this does not seem to work. Maybe I'm using the wrong symbol for parameter (something other than ?).
Best compromise I've found is escaping strings via:
postgresqlEscapeStrings(con, string)
(note: connection is necessary so function can know how to properly escape).
Means I have to escape every string I use in a paste when putting together my queries. Not so elegant. But seems best option. Anyone have other ideas?
Solution
Use
postgresqlExecStatement(con, "DELETE FROM foos WHERE id = $1 AND baz = $2", list(1, "bar"))
I always pass my parameters to be bound as a list since c will force it into one mode. You also have to clear the results belonging to con if this statement succeeds before you can use it again.
Also, please note hadley's comments to use the new package RPostgres.
