Parameterised queries
On Wed, Feb 11, 2015 at 2:41 PM, Hadley Wickham <h.wickham at gmail.com> wrote:
It gives a new attack vector - to introduce additional data into the database, you just need to figure out how to turn a length 1 vector in to a length 2 vector. It's dangerous in the same way that allowing dbGetQuery() to execute multiple queries is dangerous.
I'd rather hope that if it were a case that mattered, the user would not rely on the api as a substitute for appropriate checks.
I think the API should be as safe as possible by default, and sacrificing safety for speed should only be done explicitly when the user asks for it.
My use cases are not so sensitive, but I agree with the general idea. Also, you really do not gain much over regular looping as inserts are really slow, at least in postgresql. THK
Hadley -- http://had.co.nz/
http://www.keittlab.org/ [[alternative HTML version deleted]]