We’re building a web form which will allow (trusted) users to input their own

Question

Asked: June 18, 20262026-06-18T11:31:55+00:00 2026-06-18T11:31:55+00:00

We’re building a web form which will allow (trusted) users to input their own R queries. They will be doing stats analysis against a database.

Questions:

How dangerous is this, in its basic form? I’m new to R, so – what’s the worst they could do? (Assume the database connection is unprivileged).
Is there an easy way to sanitise the input, to remove the biggest risks?
Is it possible to sanitise inputs to the point that we could open this up to the public? We couldn’t risk DOS attacks, for instance.

You must login to add an answer.

Need An Account,

Editorial Team · Answer 1 · 2026-06-18T11:31:57+00:00

Combining comments above, plus messages from the mailing list thread pointed to by Josh O’Brien.

Very. An unprotected R query can do anything that its process can do, via the system() function.
From the list, grepping queries for ‘system’ and ‘eval’ is helpful (but can be readily circumvented by experienced R programmers). sandboxR takes this a step further, adding additional security. But experts on the list claim to be able to readily circumvent even this.
So far, it’s looking like no. Perhaps it could be done through whitelisting instead (ie, provide a list of functions that are ok, and block everything else).

The Archive Base Latest Questions