Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Save more on your purchases now! discount-offer-chevron-icon
Savings automatically calculated. No voucher code required.
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Web Application Development with R Using Shiny

You're reading from   Web Application Development with R Using Shiny Build stunning graphics and interactive data visualizations to deliver cutting-edge analytics

Arrow left icon
Product type Paperback
Published in Sep 2018
Publisher
ISBN-13 9781788993128
Length 238 pages
Edition 3rd Edition
Languages
Tools
Arrow right icon
Authors (2):
Arrow left icon
Chris Beeley Chris Beeley
Author Profile Icon Chris Beeley
Chris Beeley
Shitalkumar R. Sukhdeve Shitalkumar R. Sukhdeve
Author Profile Icon Shitalkumar R. Sukhdeve
Shitalkumar R. Sukhdeve
Arrow right icon
View More author details
Toc

Table of Contents (11) Chapters Close

Preface 1. Beginning R and Shiny FREE CHAPTER 2. Shiny First Steps 3. Integrating Shiny with HTML 4. Mastering Shiny's UI Functions 5. Easy JavaScript and Custom JavaScript Functions 6. Dashboards 7. Power Shiny 8. Code Patterns in Shiny Applications 9. Persistent Storage and Sharing Shiny Applications 10. Other Books You May Enjoy

SQL Injection

SQL Injection is a kind of attack done by adding SQL quires to the URL of the application. Such queries execute on the DBMS without having legitimate access to it. Such attacks are possible if there are some branches into the code. Let's see some code to understand it better:

dbGetQuery(conn, paste0(  "SELECT * FROM City LIMIT ", input$nrows, ";")) 

As we can see in the preceding code, input$nrows has been put directly into the query. If an attacker got access to this input$nrows, they could inject any SQL statement into it. In this case, the solution can be to prevent an attacker from passing vectors. So, the code can be modified as follows:

dbGetQuery(conn, paste0(  "SELECT * FROM City LIMIT ", as.integer(input$nrows)[1], ";")) 

The input is converted into an integer first. So, if an attacker puts some SQL into it, it...

lock icon The rest of the chapter is locked
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime