Call this method to generate a string that is suitable for use in a query as a string literal, to make sure that you generate valid SQL and avoid SQL injection.
dbQuoteString(conn, x, ...)
A subclass of DBIConnection, representing an active connection to an DBMS.
A character vector to quote as string.
Other arguments passed on to methods.
dbQuoteString() returns an object that can be coerced to character,
of the same length as the input.
For an empty character vector this function returns a length-0 object.
When passing the returned object again to
argument, it is returned unchanged.
Passing objects of class SQL should also return them unchanged.
(For backends it may be most convenient to return SQL objects
to achieve this behavior, but this is not required.)
The returned expression can be used in a
SELECT ... query,
and for any scalar character
x the value of
dbGetQuery(paste0("SELECT ", dbQuoteString(x)))[]
must be identical to
(in any combination)
or is itself the result of a
dbQuoteString() call coerced back to
character (even repeatedly).
NA, the result must merely satisfy
"NULL" are not treated specially.
NA should be translated to an unquoted SQL
so that the query
SELECT * FROM (SELECT 1) a WHERE ... IS NULL
returns one row.
# Quoting ensures that arbitrary input is safe for use in a query name <- "Robert'); DROP TABLE Students;--" dbQuoteString(ANSI(), name)#> <SQL> 'Robert''); DROP TABLE Students;--'# NAs become NULL dbQuoteString(ANSI(), c("x", NA))#> <SQL> 'x' #> <SQL> NULL# SQL vectors are always passed through as is var_name <- SQL("select") var_name#> <SQL> selectdbQuoteString(ANSI(), var_name)#> <SQL> select# This mechanism is used to prevent double escaping dbQuoteString(ANSI(), dbQuoteString(ANSI(), name))#> <SQL> 'Robert''); DROP TABLE Students;--'