[R] Getting frustrated with RMySQL
Ted Byers
r.ted.byers at gmail.com
Wed Oct 15 00:02:15 CEST 2008
Thanks Jeffrey and Barry,
I like the humour. I didn't know about xkcd.com, but the humour on it is
familiar. I saw little Bobby Tables what seems like eons ago, when I first
started cgi programming.
Anyway, I recognized the risk of an injection attack with this use of
sprint, but in this case, there is no risk because all the data used is
coming from previously sanitized data in our DB, and the parameters in this
case will invariably be integers.
Thanks again
Ted
Jeffrey Horner wrote:
>
> Barry Rowlingson wrote on 10/14/2008 04:40 PM:
>> 2008/10/14 Jeffrey Horner <jeff.horner at vanderbilt.edu>:
>>
>>> I've found the best way to parameterize is using R's sprintf function.
>>> For
>>> instance, the following query not only parameterizes the variable
>>> position,
>>> but also the table name:
>>>
>>> fields <- dbGetQuery(con,sprintf("select field,elem_label from %s_meta
>>> where field='%s'",inp$pnid,inp$field))
>>>
>>
>> And thus a million web SQL injection exploits were born...
>>
>> Even if you do have control over the parameters to the query, you
>> still have to worry about quotes or other nasty escape characters in
>> your string ending up in the SQL. I hope little Bobby Tables isn't a
>> subject in your analysis:
>
> Thank goodness I don't do analysis, as I haven't the schooling. Barry,
> I'm ashamed of you! I was hoping you'd at least offer an alternative.
>>
>> http://xkcd.com/327/
>
> Okay, you are pardoned: I LOVE xkcd! Especially this one:
>
> http://xkcd.com/349/
>
> Best,
>
> Jeff
> --
> http://biostat.mc.vanderbilt.edu/JeffreyHorner
>
> ______________________________________________
> R-help at r-project.org mailing list
> https://stat.ethz.ch/mailman/listinfo/r-help
> PLEASE do read the posting guide
> http://www.R-project.org/posting-guide.html
> and provide commented, minimal, self-contained, reproducible code.
>
>
--
View this message in context: http://www.nabble.com/Getting-frustrated-with-RMySQL-tp19980592p19983073.html
Sent from the R help mailing list archive at Nabble.com.
More information about the R-help
mailing list