Parameterized queries with RODBC

Question

I have a variable in R that I would like to pass to a database. I could use paste like many suggest when reading Google results, but that is unsafe because of SQL injection vulnerabilities. I'd rather prefer something like this:

x <- 42
sqlQuery(db, 'SELECT Id, Name FROM People WHERE Age > ?;', bind=c(x))

Is it possible to use parameterized queries with RODBC? If not, is there an alternative library that supports them?

I'm using SQL Server, RODBC 1.3-6 and R 3.0.0.

It seems to be mentioned [here](http://stackoverflow.com/a/1645086/142019) as "placeholders" but I still couldn't find how to use them. — , Apr 23 '13 at 20:46
would cleaning the string before pasting it not accomplish the same thing? — Ricardo Saporta, Apr 23 '13 at 20:48

Deer Hunter · Answer 1 · 2015-10-29T09:05:54.070

9

Mateusz Zoltak wrote RODBCext package in 2014 (based on work by Brian Ripley and Michael Lapsley):

conn = odbcConnect('MyDataSource')

sqlPrepare(conn, "SELECT * FROM myTable WHERE column = ?")
sqlExecute(conn, 'myValue')
sqlFetchMore(conn)

Source: http://cran.r-project.org/web/packages/RODBCext/vignettes/Parameterized_SQL_queries.html

edited Oct 29 '15 at 09:05

answered Mar 28 '15 at 05:35

Deer Hunter

1,211
1
18
31

1

Yes - this is a better solution. Proper parameterization reduces security issues (SQL Injection) and can improve performance due to cached query plans (only important if the query is executed a lot). As a better software Craftsman pattern - I recommend this kind of solution. – ripvlan Jul 27 '15 at 18:13

Parameterized queries with RODBC

1 Answers1

Linked

Related