Skip to contents

Create a SQL query tool

Source: R/tool-query-sql.R
query_sql_tool.Rd

Returns a securer::securer_tool() that queries database tables via a structured interface with parameterized queries. No raw SQL is accepted – this makes SQL injection structurally impossible.

Usage

query_sql_tool(conn, allowed_tables, max_rows = 1000, max_calls = NULL)

Arguments

conn

A DBI connection object.

allowed_tables

Character vector of table names the tool can query.

max_rows

Maximum rows returned. Default 1000.

max_calls

Maximum invocations. NULL means unlimited.

Value

A securer_tool object.

Details

Security constraints:

  • Structured SELECT only: The tool constructs SELECT queries from structured arguments. No raw SQL is accepted, making SQL injection structurally impossible.

  • Parameterized filters: Filter values are passed as query parameters, never interpolated into SQL strings.

  • Identifier quoting: Table and column names are quoted with DBI::dbQuoteIdentifier() after passing allow-list validation, providing defense in depth.

  • Table allow-list: Only tables listed in allowed_tables can be queried.

See also

securer_tool

Other tool factories: calculator_tool(), data_profile_tool(), fetch_url_tool(), plot_tool(), r_help_tool(), read_file_tool(), write_file_tool()

Examples

# \donttest{
tool <- query_sql_tool(
  conn = DBI::dbConnect(RSQLite::SQLite(), ":memory:"),
  allowed_tables = c("customers", "orders"),
  max_rows = 500
)
# }