On 29/03/10 15:53, Rob Vesse wrote:
Forgot to cc to list and to jena-dev
Missed the original post completely. Thanks for ccing to jena-dev.
Hi all,
my name is Angelo Veltens, i'm studying computer science in germany. I
am using the jena framework with sdb for a student research project.
I'm just wondering how to prevent sparql injections. It seems to me,
that i have to build my queries from plain strings and do the sanitizing
on my own. Isn't there something like prepared statements as in
SQL/JDBC? This would be less risky.
Kind regards,
Angelo Veltens
Use the QueryExecutionFactory methods that accept an initial binding: [1]
Query q = QueryFactory.create("select * { ?s ?p ?o }");
QuerySolutionMap qs = new QuerySolutionMap();
qs.add("s", resource); // bind resource to s
QueryExecution qe = QueryExecutionFactory.create(q, dataset, qs);
That's much safer and easier than messing with query strings.
(Unfortunately it doesn't work for remote queries via queryService)
Damian
[1]
<http://jena.sourceforge.net/ARQ/javadoc/com/hp/hpl/jena/query/QueryExecutionFactory.html#create(com.hp.hpl.jena.query.Query,
com.hp.hpl.jena.query.Dataset, com.hp.hpl.jena.query.QuerySolution)>
