Call this method to generate a string that is suitable for
use in a query as a column or table name, to make sure that you
generate valid SQL and protect against SQL injection attacks. The inverse
This documentation page describes the generics. Refer to the documentation pages linked below for the documentation for the methods that are implemented in various backend packages.
dbQuoteIdentifier(conn, x, ...)
dbQuoteIdentifier() returns an object that can be coerced to character,
of the same length as the input.
For an empty character vector this function returns a length-0 object.
The names of the input argument are preserved in the output.
When passing the returned object again to
argument, it is returned unchanged. Passing objects of class SQL should also return them unchanged. (For backends it may be most convenient to return SQL objects to achieve this behavior, but this is not required.)
An error is raised if the input contains
but not for an empty string.
dbGetQuery() for a query of the format
SELECT 1 AS ...
returns a data frame with the identifier, unquoted, as column name.
Quoted identifiers can be used as table and column names in SQL queries,
in particular in queries like
SELECT 1 AS ...
SELECT * FROM (SELECT 1) ....
The method must use a quoting mechanism that is unambiguously different
from the quoting mechanism used for strings, so that a query like
SELECT ... FROM (SELECT 1 AS ...)
throws an error if the column names do not match.
The method can quote column names that
contain special characters such as a space,
or quotes used to mark strings
if the database supports this.
In any case, checking the validity of the identifier
should be performed only when executing a query,
and not by
# Quoting ensures that arbitrary input is safe for use in a query name <- "Robert'); DROP TABLE Students;--" dbQuoteIdentifier(ANSI(), name) #> <SQL> "Robert'); DROP TABLE Students;--" # Use Id() to specify other components such as the schema id_name <- Id(schema = "schema_name", table = "table_name") id_name #> <Id> "schema_name"."table_name" dbQuoteIdentifier(ANSI(), id_name) #> <SQL> "schema_name"."table_name" # SQL vectors are always passed through as is var_name <- SQL("select") var_name #> <SQL> select dbQuoteIdentifier(ANSI(), var_name) #> <SQL> select # This mechanism is used to prevent double escaping dbQuoteIdentifier(ANSI(), dbQuoteIdentifier(ANSI(), name)) #> <SQL> "Robert'); DROP TABLE Students;--"