In R’s DBI package, I’m not finding a facility for using bound variables. I did find a document (the original vignette from 2002) that says about bound variables, “Perhaps the DBI could at some point in the future implement this feature”, but it looks like so far that’s left undone.
What do people in R use for a substitute? Just concatenate strings right into the SQL? That’s got some obvious problems for safety & performance.
EDIT:
Here’s an example of how placeholders could work:
query <- "SELECT numlegs FROM animals WHERE color=?"
result <- dbGetQuery(caseinfo, query, bind="green")
That’s not a very well-thought-out interface, but the idea is that you can use a value for bind and the driver handles the details of escaping (if the underlying API doesn’t handle bound variables natively) without the caller having to reimplement it [badly].
For anyone coming to this question like I just did after googling for rsqlite and dbgetpreparedquery, it seems that in the latest version of rsqlite you can run a SELECT query with bind variables. I just ran the following:
This was relatively fast (selecting 2,000 rows out of a 450,000 row table) and is incredibly useful.
FYI.