Proper way to pass parameters to query in R DBI

Asked 10/5, 2016 at 7:9 Answered 11/5, 2016 at 18:55

In perl/python DBI APIs have a mechanism to safely interpolate in parameters to an sql query. For example in python I would do:

cursor.execute("SELECT * FROM table WHERE value > ?", (5,))

Where the second parameter to the execute method is a tuple of parameters to add into the sql query

Is there a similar mechanism for R's DBI compliant APIs? The examples I've seen never show parameters passed to the query. If not, what is the safest way to interpolate in parameters to a query? I'm specifically looking at using RPostgresSQL.

Grot answered 10/5, 2016 at 7:9 Comment(1)

The latest version of DBI has sqlInterpolate which will safely interpolate variables into a string. – Testudo 10/5, 2016 at 12:37

Just for completeness, I'll add an answer based on Hadley's comment. The DBI package now has the function sqlInterpolate which can also perform this. It requires a list of function arguments to be named in the sql query that all must start with a ?. Excerpt from the DBI manual below

sql <- "SELECT * FROM X WHERE name = ?name"
sqlInterpolate(ANSI(), sql, name = "Hadley")
# This is safe because the single quote has been double escaped
sqlInterpolate(ANSI(), sql, name = "H'); DROP TABLE--;")

Grot answered 11/5, 2016 at 18:55 Comment(5)

What is ANSI() and is it possible to interpolate unsafely (for example, table name as a parameter)? – Podolsk 10/4, 2017 at 9:28

It's a function from the DBI package, where the documentation says that it is "a dummy DBI connector that simulates ANSI-SQL compliance". – Grot 10/4, 2017 at 22:39

I also started a question regarding unsafe interpolation #43385619 – Podolsk 13/4, 2017 at 11:15

how do you run the query generated in sqlInterpolate on the MySQL db? The standard R documentation on sqlInterpolate function is inadequate. – Ament 18/6, 2017 at 5:23

I just wanted to add that you don't need to put quotes around ?name e.g. don't do "?name"...that causes no interpolation to happen, just a debugging tip for anyone that is having trouble – Burdette 20/7, 2017 at 3:46

Indeed the use of bind variables is not really well documented. Anyway the ODBC commands in R work differently for different databases. One possibility for postgres would be like this:

res <- postgresqlExecStatement(con, "SELECT * FROM table WHERE value > $1", c(5))
postgresqlFetch(res)
postgresqlCloseResult(res)

Hope it helps.

Accroach answered 10/5, 2016 at 15:38 Comment(0)

Recommended topics

Hot tags