Hack the Proton. A data-crunching game from the Beta and Bit series

I’ve prepared a short console-based data-driven R game named ,,The Proton Game’’. The goal of a player is to infiltrate Slawomir Pietraszko’s account on a Proton server. To do this, you have to solve four data-based puzzles.

The game can be played by beginners as well as heavy users of R. Survey completed by people who completed the beta version of this game shows that the game gives around 15 minutes of fun to people experienced in R and up to around 60 minutes to people that just start programming and using R. More details about the results from beta-version are presented on the plot on the bottom.


Czytaj dalej Hack the Proton. A data-crunching game from the Beta and Bit series

R in Insurance – the November meetup of the Warsaw R User Group

Inspired by the conference held in Amsterdam „R in Insurance”, we would like to dedicate the November meetup of Warsaw R Users Group to Insurance. The presentations will cover the practical aspects of insurance and more specifically the applications of R in insurance.
Join us on Thursday, November 26, 2015, 6:00 PM, Koszykowa 75, Warsaw, Room 329 MINI PW. Meetup will be in English.

18.00-18.05 Welcome
18.05-18.40 „Experience vs. Data” Markus Gesmann (Lloyd’s, London)
18.40-19.00 Pizza break
19.00-19.35 „Non life insurance in R” Emilia Kalarus (Triple A – Risk Finance)
19.35-20.10 „Stochastic mortality modelling” Adam Wróbel (NN)
20.15 – Afterparty

This time our agenda is quite tight, since we have 3 very interesting presentations. We invite R programmers, data analysts as well as actuaries and risk professionals.

Czytaj dalej R in Insurance – the November meetup of the Warsaw R User Group

Warsaw R-Users Group Meeting #12


After summer holidays we are back with two talks:
6pm-6:30 – Adolfo Álvarez PhD
,,5 lessons I have learned at Analyx”.
7pm-7:30 – Piotr Migdał, PhD
,,Jupyter – the environment for learning and doing data analysis’’.

See you tomorrow (22/10/2015) at 6 pm, Department of Mathematics, Warsaw University of Technology, Koszykowa 75 room 329.
You will find more details here (meetup).
You will find more materials here (github).

Warsaw Meetings of R Users / Warszawskie Spotkania Entuzjastów R


With the summer holiday season coming to an end, we are back with Warsaw Meetings of R Users (Warszawskie Spotkania Entuzjastów R).

Three meetings ahead:

  • September 26 th (this Saturday) – let’s start with data-hack-day (DHD). Having data from Polish Seym (votes and transcripts), we are going to prepare some nice summaries of last cadency. Elections ahead, it is a good time for such statistics. MaszPrawoWiedzieć will support us in this effort. Be prepared for a lot of data cleaning and nice data exploration.
  • October 22 nd (Thursday), we will be talking about R and education. Two excellent speakers in the roster: Adolfo Álvarez (Advanced Customer Analyst at Analyx) and dr hab. Michał Ramsza (SGH).
  • November 26 th (Thursday). Topic for this meeting is ,,R in insurance’’. One of our special guest: Markus Gesmann (Lloyd’s, London). More to come.

You will find more information on our meetup page: http://www.meetup.com/Spotkania-Entuzjastow-R-Warsaw-R-Users-Group-Meetup/.

Thanks go to our partners and sponsors: Revolution Analytix/Microsoft, MINI PW, WLOG Solutions and SmarterPoland.

Incredible Adventures of Beta and Bit

I am working on a project that introduces data-driven reasoning (and of course R) to secondary schools conveyed by the fictional adventures of two teenagers, Beta and Bit.

Beta is a level-headed girl who has a passion for maths, logic and the art of deduction.
Bit is a hot-headed hacker and self-educated robotic engineer.

The first story from the series, called Pietraszko’ Cave, is available at this website (in English, Polish and Russian).

In the series, in each story strange adventures introduce Beta and Bit to concepts like: randomness, probability distributions, correlation, linear regression, hypothesis testing or some tools used by data analysts (so called data scientists nowadays).

Czytaj dalej Incredible Adventures of Beta and Bit

Interview with SERATRON – Lego EV3 robot driven by R


Next meeting of Warsaw R Enthusiasts (SER = Spotkania Entuzjastów R) will take place on December 8. We are going to start with Roger Bivand talk about spatial statistics (R Foundation / NHH, author of many R packages). The second talk, by Bartosz Meglicki (IPI PAN), will introduce the SERATRON – fusion of R and Lego Mindstorms.

Below we publish an exclusive SER interview with SERATRON (we are sorry but SERATRON is a naughty one):

SER: Hi, could you introduce yourself?
SERATRON: I am a robot coded in pure R with ev3dev.R bindings. The bindings run on ev3dev linux distribution. The operating system runs on Lego EV3 hardware. We are all under heavy development.

Czytaj dalej Interview with SERATRON – Lego EV3 robot driven by R

Variability of weather forecasts

Screen Shot 2014-11-02 at 20.30.19

Have you wondered how stable are weather forecasts?

curiosity + R = fun,

let’s do a little test.

I’ve used a function getWeatherForecast {SmarterPoland} (github release) to download weather forecasts from the Dark Sky API. Hourly forecasts are downloaded every 10 minutes and stored in this repository based on archivist package (it’s easier to manage larger collection of objects). Having a bundle of forecasts I’ve plot them with the use of ggplot2 package and create an animation with the use of animation package.

And here it is (if you do not see the move above, click here).
Short movie with evolution of temperature forecast for The All Saints’ day in Warsaw.
Red curve – current forecast, grey curves – old forecasts, blue curve – history.

It’s funny that colder forecasts for first evening go with warmer forecasts of next morning.
And changes in weather forecasts are not that smooth as I’ve expected.

Lazy load with archivist

Version 1.1 of the archivist package reached CRAN few days ago.
This package supports operations on disk based repository of R objects. It makes the storing, restoring and searching for an R objects easy (searching with the use of meta information). Want to share your object with article reviewers or collaborators? This package should help.
We’ve created some vignettes to present core use-cases. Here is one of them.

Lazy load with archivist

by Marcin Kosiński

Too big .Rdata file causing problems? Interested in few objects from a huge .Rdata file? Regular load() into Global Environment takes too long or crashes R session? Want to load or copy an object with unknown name? Maintaing environment with thousands of objects became perplexing and troublesome?

If stacked with any of the above applies, this use case is a must read for you.

The archivist package is a great solution that helps administer, archive and restore your artifacts created in R package.

Combining archivist and lazy load may be miraculous

If your .RData file is too big and you do not need or do not want to load the whole of it, you can simply convert the .RData file into a lazy-load database which serializes each entry separately and creates an index. The nice thing is that the loading will be on-demand.

Loading the database then only loads the index but not the contents. The contents are loaded as they are used.

Now you can create your own local archivist-like Repository which will make maintainig artifacts as easy as possible.

Then objects from the Huge.RData file may be archived into Repository created in DIRectory directory. The attribute tags (see Tags) specified as realName is added to every artifact before the saveToRepo() call, in order to remember its name in the Repository.

Now if you are interested in a specific artifact but the only thing you remember about it is its class was data.frame and its name started with letters ir then it is possible to search for that artifact using the searchInLocalRepo() function.

As a result we got md5hashes of artifacts which class was data.frame (hashes1) and md5hashes of artifacts which names (stored in tag named realName) starts with ir. Now we can proceed with an intersection on those two vectors of characters.

After we got one md5hash corresponding to the artfiact we are interested in, we can load it using the loadFromLocalRepo() function.

One can always check the realName tag of that artifact with the getTagsLocal() function.

If only specific artifacts from previously created Repository in DIRectory directory are needed in future, they may be copied to a new Repository in new directory. New, smaller Repository will use less memory and may be easier to send to contributors when working in groups. Here is an example of copying artifacts only from selected classes. Because DIRectory2 directory did not exist, the parameter force=TRUE was needed to force creating empty Repository. Vector hashesR contains md5hashes or artifacts that are related to other artifacts, which mean they are datasets used to compute other artifacts. The special parameter fixed = TRUE specifies to search in tags that start with letters relation.

You can even tar your Repository with tarLocalRepo() function and send it to anybody you want.

You can check the summary of Repository using the summaryLocalRepo() function. As you can see, some of the coxph artifacts have an addtional class. There are also 8 datasets. Those are artifacts needed to compute other artifacts and archived additionaly in the saveToRepo() call with default parameter archiveData = TRUE.

When Repository is no longer necessary we may simply delete it with deleteRepo() function.

Parameterized SQL queries

Mateusz Żółtak asked me to spread the word about his new R package for parameterized SQL queries. Below you can find the copy of package vignette. If you work with SQL in R you may find it useful.

The package RODBCext is an extension of the RODBC database connectivity package. It provides support for parameterized queries. This document describes what parameterized queries are and when they should be used. In addition some examples of ROBDCext usage are shown.

It is assumed that you already know the RODBC package and the basics of SQL and ODBC. If not, please read about them first, e.g. see the ODBC Connectivity vignette of the RODBC package.

1 What are parameterized queries for?

Parameterized queries (also known as prepared statements) are a technique of query execution which separates a query string from query parameters values. There are two main reasons for using this technique:

  • avoiding SQL injections,
  • speeding up query execution in some scenarios.

Both are discussed below.

2 SQL injections

SQL injection is an attack against your code which uses SQL queries. Malicious query parameter values are passed in order to modify and execute a query. If you use SQL data sources, it is highly likely that sooner or later your R code will experience a problem similar to an SQL injection (or an SQL injection itself). Consider the following:

  • Even data from trusted data sources (even SQL ones) can cause problems in SQL queries if use improper programming techniques.
  • Are you sure that your data came from a really trusted source?
  • All Shiny applications which process data from SQL data sources can be a target of an SQL injection attack.

2.1 Example – an apostrophe sign in data

Let us begin with a simple example illustrating how your own data can lead to problems similar to a SQL injections attack.

Imagine a simple SQL database with a table called cakes:

cake price
Chocolate cake 10
Strawberry cupcake 3
Kevin’s Cherry Tart 12.3

We receive a CSV data file containing the same database but with new prices. You are asked to update the database. So you write your R code as below:

Such a code will fail on a Kevin’s Cherry Tart because this name contains an apostrophe. The resulting query would be UPDATE cakes SET price = 12.3 WHERE cake = 'Kevin's Cherry Tart'; which is not a proper SQL query. To deal with the Kevin’s Cherry Tart we need to escape the apostrophe in the cake’s name so that the database knows that it doesn’t denote the end of the string value.

2.2 Example – simple SQL injection

There is a nice XKCD about that – see here. Let’s translate it into an example in R.

We have got a database of students with a table students

last_name first_name
Smith John
Lee Andrew
Wilson Linda

A new school year has begun and new students have come. We have just received a CSV file with the same structure as the table students and we are asked to add it to the database. So we prepare a simple script:

Unfortunately one of our new students’ name is:

last_name first_name
Smith Robert’); DROP TABLE students; –

For this student our query would be:

These are in fact two SQL queries and one SQL comment:

  • INSERT INTO students (last_name, first_name) VALUES ('Smith', 'Robert');
  • DROP TABLE students;
  • --')

Execution of such a query can lead to a serious data loss (hopefully we have made a backup copy or do not have sufficient rights to drop the students table). To avoid such problems we should properly escape parameters values in our SQL queries.

2.3 How to escape values in SQL queries?

At this point we already know that we should properly escape parameters values in our SQL queries. There are many techniques of doing that:

  • Manually checking the data types.
  • Using parameterized queries.
  • Using high-level functions which escape values for us.

2.3.1 Manually checking data types

You can escape your data manually, e.g.

  • cast numeric columns to numbers using as.numeric(column) or sprintf(“%d %f”, integerColumn, realColumn),
  • cast dates using as.character(as.Date(column)),
  • escape strings using gsub(“‘“,”’’”, column),
  • etc.

This is possible but is also very error prone, especially when escaping string values. Everyone knows that apostrophes have to be escaped, but:

  • Different database systems may use different escape sequences (e.g. C-style with a backslash or repeat-style a with double apostrophe).
  • our database system may handle HTML/XML entities or inserting characters by a Unicode value (or many, many other strange ways of data input), so e.g. my’value or my\U0027value will be converted into my’value and then lead to errors in your query.

It is almost impossible to remember all caveats by yourself, so it is strongly advised not to use this method.

2.3.2 Using parameterized queries

Another solution is to separate the query string from its parameters (data). In such case a query execution is divided into two steps:

  • query parsing and planing,
  • passing parameter values to query and query execution.

As query parameters are passed separately, parameter values cannot modify (and break) the query string. To indicate places in the query where parameters will be placed, a special character is used, typically a question mark.

Let us rewrite our cakes example using the sqlExecute(connHandle, queryString, data) function from the RODBCext package:

We replaced the parameter values in query with a question mark and passed query and data as separate function parameters. We made our code not only SQL injection resistant, but also easier to read.

Moreover, the function function sqlExecute() supports vectorized data, so we can make it even simpler:

2.3.3 Using high-level functions which deal with escaping values for us

This would be the most straightforward solution.

An excellent example is dplyr, which provides a complete R to SQL mapper and allows us to completely forget about the SQL. Another example are the sqlSave(), sqlUpdate(), sqlCopy() and sqlCopyTable() functions from the RODBC package which deal with escaping values for us.

The problem is that: * Dplyr escapes values rather naively. With respect to strings only simple ‘to’’ escaping is performed which is enough to prevent silly errors but will fail against more advanced SQL injections. * RODBC’s high-level functions escape values in a safe way (by internally using parameterized queries), but have very limited functionality. Interestingly, judging from the comments in the source code, the parameterized queries have been introduced to them not to make them safe but to improve speed.

2.4 Summary

When using SQL we must pay attention to escape query parameter values properly. The existing R database connectivity packages do not provide a completely reliable way of doing that. A set of SQL injections safe functions provides very limited functionality and more flexible functions are using naive escaping methods. That is why RODBCext is a preferred way to make your R code SQL injections safe.

I hope dplyr developers will switch to use parameterized queries internally at some point. This would provide R community with a brilliant and safe R to SQL mapper and to forget about a manual preparation of SQL queries.

3 Speeding up query execution using parameterized queries

SQL query execution is being performed in a few steps. The first two steps are

  • Parsing the query string into internal database query data structures.
  • Planning the query, e.g. deciding the order of joining the tables, indexes which should be used to execute a query, etc.

If we repeat the same query many times and only values of query parameters are changing, it will be faster to perform these steps only once and then reuse the already parsed and planed query. This can be achieved by using parameterized queries.

3.1 Example – big insert

A typical scenario is an insert of many rows to a table:

3.2 Example – speeding up a SELECT query

Also repeated execution of a SELECT query can benefit from using parameterized variant:

The longer query string, the more complicated query planning and the more query repetitions, the bigger amount of time can be saved.

4 Parameterized SQL queries in R

Unfortunately all known to me R packages providing support for SQL databases lacks support for parameterized queries. Even the R DBI interface doesn’t define any methods which would allow to implement parameterized queries. The main reason for that is probably that R packages developers used to see SQL databases as just another storage backend for data frames rather than powerful data processing engines (which modern SQL databases already are).

4.1 RODBCext

RODBCext package tries to fill this gap by introducing parameterized queries support on the top of the RODBC package. RODBCext provides only two functions, both of them using database connection handlers from RODBC:

  • sqlPrepare(connHandle, SQLquery, errors = TRUE)
  • sqlExecute(connHandle, SQLquery, data, fetch = FALSE, errors = TRUE, ...)

4.1.1 sqlExecute()

Allows execution of SQL queries separated from query parameters values, e.g.:

The nice thing is that sqlExecute() (in opposite to sqlQuery()) supports vectorization. In the example below data will contain results of all five queries bound by rows.

Results can be also fetched separately using RODBC’s sqlGetResults(). This also provides a way to fetch results in parts:

As sqlExecute() uses internally sqlGetResults() to fetch results of the query, it also accept all parameters of the sqlGetResults():

4.1.2 sqlPrepare()

Parses a query string and plans a query. Query can be executed later using sqlExecute() with a parameter query set too NULL. This can provide some performance gain when executing the same query multiple times (see the chapter Speeding up query execution using parameterized queries). Usage example: