Create a SQL query tool

Returns a securer::securer_tool() that queries database tables via a structured interface with parameterized queries. No raw SQL is accepted – this makes SQL injection structurally impossible.

Usage

tool_query_sql(conn, allowed_tables, max_rows = 1000, max_calls = NULL)

query_sql_tool(...)

Arguments

conn

A DBI connection object.

allowed_tables

Character vector of table names the tool can query.

max_rows

Maximum rows returned. Default 1000.

max_calls

Maximum invocations. NULL means unlimited.

...

Arguments passed to tool_query_sql().

Value

A securer_tool object.

Details

Security constraints:

• Structured SELECT only: The tool constructs SELECT queries from structured arguments. No raw SQL is accepted, making SQL injection structurally impossible.

• Parameterized filters: Filter values are passed as query parameters, never interpolated into SQL strings.

• Identifier quoting: Table and column names are quoted with DBI::dbQuoteIdentifier() after passing allow-list validation, providing defense in depth.

• Table allow-list: Only tables listed in allowed_tables can be queried.

See also

securer_tool

Other tool factories: tool_calculator(), tool_data_profile(), tool_fetch_url(), tool_plot(), tool_r_help(), tool_read_file(), tool_write_file()

Examples

# \donttest{
tool <- tool_query_sql(
  conn = DBI::dbConnect(RSQLite::SQLite(), ":memory:"),
  allowed_tables = c("customers", "orders"),
  max_rows = 500
)
# }