[R-sig-DB] Parameterised queries
Hadley Wickham
h@w|ckh@m @end|ng |rom gm@||@com
Wed Feb 11 21:41:01 CET 2015
>> It gives a new attack vector - to introduce additional data into the
>> database, you just need to figure out how to turn a length 1 vector in
>> to a length 2 vector.
>>
>> It's dangerous in the same way that allowing dbGetQuery() to execute
>> multiple queries is dangerous.
>
> I'd rather hope that if it were a case that mattered, the user would not
> rely on the api as a substitute for appropriate checks.
I think the API should be as safe as possible by default, and
sacrificing safety for speed should only be done explicitly when the
user asks for it.
Hadley
--
http://had.co.nz/
More information about the R-sig-DB
mailing list