Bobby Tables: A guide to preventing SQL injection
> R

R =

R has separate interfaces for different databases, with different capabilities for each. RSQLite supports parameterized.

con <- dbConnect(SQLite(), ":memory:")
# Use dbSendPreparedQuery/dbGetPreparedQuery for "prepared" queries
dbGetPreparedQuery(con, "SELECT * FROM arrests WHERE Murder < ?",
    data.frame(x = 3))
dbDisconnect(con)

But other interfaces, such as RMySQL do not allow parameterizations.

The database drivers for R are in process of being brought together under DBI, so it is possible this will change in the future.

This site's content is available under the Creative Commons Attribution-ShareAlike 3.0 License.