[R] Accessing R applications from Web
Elio Mineo
mineoeli at unipa.it
Fri Apr 20 13:08:01 CEST 2007
Il giorno gio, 19/04/2007 alle 11.43 -0500, hadley wickham ha scritto:
> > I learned to do this by studying Alfredo Pontillo and Angelo Mineo's
> > R-php (http://dssm.unipa.it/R-php). Specifically, look at the file
> > pages/result/index.php They have done lots of other good stuff in
> > their project, like filtering dangerous commands - you would not want
> > to let a user just type in any R code, because they could seriously
> > damage your server.
>
> This is incredibly hard to do with any programming language, and with
> R in particular, as there are so many different ways of accessing a
> function.
>
Yes, it is really hard.
> For example, try running the following on their demo site:
>
> a <- get(paste("sys", "tem", sep=""))
> a("ls /")
>
> vs
>
> system <- 5
> print(system)
>
> Not to mention the fact that the security check is only performed in
> javascript, so could be trivially removed by turning off javascript or
> performing the post directly.
>
If you turn off javascript, R-php doesn't work.
> Hadley
>
Elio
More information about the R-help
mailing list