[R-sig-DB] Parameterised queries
Tim Keitt
tke|tt @end|ng |rom utex@@@edu
Wed Feb 11 22:05:08 CET 2015
On Wed, Feb 11, 2015 at 2:41 PM, Hadley Wickham <h.wickham using gmail.com> wrote:
> >> It gives a new attack vector - to introduce additional data into the
> >> database, you just need to figure out how to turn a length 1 vector in
> >> to a length 2 vector.
> >>
> >> It's dangerous in the same way that allowing dbGetQuery() to execute
> >> multiple queries is dangerous.
> >
> > I'd rather hope that if it were a case that mattered, the user would not
> > rely on the api as a substitute for appropriate checks.
>
> I think the API should be as safe as possible by default, and
> sacrificing safety for speed should only be done explicitly when the
> user asks for it.
>
My use cases are not so sensitive, but I agree with the general idea. Also,
you really do not gain much over regular looping as inserts are really
slow, at least in postgresql.
THK
>
> Hadley
>
> --
> http://had.co.nz/
>
--
http://www.keittlab.org/
[[alternative HTML version deleted]]
More information about the R-sig-DB
mailing list