EVOLUTION-MANAGER

Edit File: dbQuoteLiteral.html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>R: Quote literal values</title> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <link rel="stylesheet" type="text/css" href="R.css" /> </head><body> <table width="100%" summary="page for dbQuoteLiteral {DBI}"><tr><td>dbQuoteLiteral {DBI}</td><td style="text-align: right;">R Documentation</td></tr></table> <h2>Quote literal values</h2> <h3>Description</h3> <p>Call these methods to generate a string that is suitable for use in a query as a literal value of the correct type, to make sure that you generate valid SQL and protect against SQL injection attacks. </p> <h3>Usage</h3> <pre> dbQuoteLiteral(conn, x, ...) </pre> <h3>Arguments</h3> <table summary="R argblock"> <tr valign="top"><td><code>conn</code></td> <td> <p>A <a href="DBIConnection-class.html">DBIConnection</a> object, as returned by <code><a href="dbConnect.html">dbConnect()</a></code>.</p> </td></tr> <tr valign="top"><td><code>x</code></td> <td> <p>A vector to quote as string.</p> </td></tr> <tr valign="top"><td><code>...</code></td> <td> <p>Other arguments passed on to methods.</p> </td></tr> </table> <h3>Value</h3> <p><code>dbQuoteLiteral()</code> returns an object that can be coerced to <a href="../../base/html/character.html">character</a>, of the same length as the input. For an empty character vector this function returns a length-0 object. </p> <p>When passing the returned object again to <code>dbQuoteLiteral()</code> as <code>x</code> argument, it is returned unchanged. Passing objects of class <a href="SQL.html">SQL</a> should also return them unchanged. (For backends it may be most convenient to return <a href="SQL.html">SQL</a> objects to achieve this behavior, but this is not required.) </p> <h3>Specification</h3> <p>The returned expression can be used in a <code style="white-space: pre;">SELECT ...</code> query, and the value of <code>dbGetQuery(paste0("SELECT ", dbQuoteLiteral(x)))[[1]]</code> must be equal to <code>x</code> for any scalar integer, numeric, string, and logical. If <code>x</code> is <code>NA</code>, the result must merely satisfy <code><a href="../../base/html/NA.html">is.na()</a></code>. The literals <code>"NA"</code> or <code>"NULL"</code> are not treated specially. </p> <p><code>NA</code> should be translated to an unquoted SQL <code>NULL</code>, so that the query <code style="white-space: pre;">SELECT * FROM (SELECT 1) a WHERE ... IS NULL</code> returns one row. </p> <p>Passing a list for the <code>x</code> argument raises an error. </p> <h3>See Also</h3> <p>Other DBIResult generics: <code><a href="DBIResult-class.html">DBIResult-class</a></code>, <code><a href="dbBind.html">dbBind</a>()</code>, <code><a href="dbClearResult.html">dbClearResult</a>()</code>, <code><a href="dbColumnInfo.html">dbColumnInfo</a>()</code>, <code><a href="dbFetch.html">dbFetch</a>()</code>, <code><a href="dbGetInfo.html">dbGetInfo</a>()</code>, <code><a href="dbGetRowCount.html">dbGetRowCount</a>()</code>, <code><a href="dbGetRowsAffected.html">dbGetRowsAffected</a>()</code>, <code><a href="dbGetStatement.html">dbGetStatement</a>()</code>, <code><a href="dbHasCompleted.html">dbHasCompleted</a>()</code>, <code><a href="dbIsReadOnly.html">dbIsReadOnly</a>()</code>, <code><a href="dbIsValid.html">dbIsValid</a>()</code>, <code><a href="dbQuoteIdentifier.html">dbQuoteIdentifier</a>()</code>, <code><a href="dbQuoteString.html">dbQuoteString</a>()</code>, <code><a href="dbUnquoteIdentifier.html">dbUnquoteIdentifier</a>()</code> </p> <h3>Examples</h3> <pre> # Quoting ensures that arbitrary input is safe for use in a query name &lt;- "Robert'); DROP TABLE Students;--" dbQuoteLiteral(ANSI(), name) # NAs become NULL dbQuoteLiteral(ANSI(), c(1:3, NA)) # Logicals become integers by default dbQuoteLiteral(ANSI(), c(TRUE, FALSE, NA)) # Raw vectors become hex strings by default dbQuoteLiteral(ANSI(), list(as.raw(1:3), NULL)) # SQL vectors are always passed through as is var_name &lt;- SQL("select") var_name dbQuoteLiteral(ANSI(), var_name) # This mechanism is used to prevent double escaping dbQuoteLiteral(ANSI(), dbQuoteLiteral(ANSI(), name)) </pre> <hr /><div style="text-align: center;">[Package <em>DBI</em> version 1.1.0 <a href="00Index.html">Index</a>]</div> </body></html>