Parameterised queries
Hi Hadley and list,
On 11 Feb 2015, at 15:01, Hadley Wickham <h.wickham at gmail.com> wrote: As part of my work modernising R's database connnectors, I've been working on improving the support for parameterised queries. I'd love to get your feedback on the API I'm proposing. The goal is to encourage people to use parameterise queries instead of pasting together SQL strings because it is much safer (no worries about SQL injection attacks) and somewhat more performant (becuase the database only needs to parse the query once).
Makes a lot of sense, yes. MonetDB.R has had support for this from day one. Our syntax uses the list of parameters approach, e.g. dbSendUpdate(conn, "INSERT INTO sometable (a) VALUES (?)", ?foobar?) of course, the parameter can be a vector, in which case the query is executed multiple times. Generally, I would be in favour of the ?list of params? approach. Also, please note that the ?bind by name? is not supported by all databases. Sticking to position-only parameter binding using ? would be most compatible (also used in JDBC for example). Best, Hannes -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4154 bytes Desc: not available URL: <https://stat.ethz.ch/pipermail/r-sig-db/attachments/20150211/86267552/attachment.p7s>