The ParameterizedSparqlString is syntax based, while normal prepared statements are semantic based.
If you add a string to a prepared statement, then the query processor knows not to parse that string. With the ParameterizedSparqlString the query processor doesn’t get to know that it shouldn’t parse the string. ParameterizedSparqlString is best effort for trying to make the query processor believe it’s a string. It never actually tells the query processor directly that it’s a string. It’s much easier to fool a syntax based approach. Håvard On 06/01/16 13:43, "Rob Vesse" <[email protected]> wrote: >I'm not sure why that is a problem? > >Any sort of prepared statement functionality is always going to be best >effort and can only protect against attacks that the designers foresaw > >Rob > >On 06/01/2016 11:48, "Håvard Mikkelsen Ottestad" ><[email protected]> wrote: > >>Thanks, >> >> >> >>I looked into that one, however it says it shouldn’t be considered a safe >>solution. It’s more of a better-than-nothing. >> >>Håvard >> >> >> >>On 06/01/16 12:44, "Rob Vesse" <[email protected]> wrote: >> >>>Please see the ParameterizedSparqlString class: >>> >>>http://jena.apache.org/documentation/javadoc/arq/org/apache/jena/query/Pa >>>ra >>>meterizedSparqlString.html >>> >>> >>>See also the user documentation on this at: >>> >>>https://jena.apache.org/documentation/query/parameterized-sparql-strings. >>>ht >>>ml >>> >>>Rob >>> >>>On 06/01/2016 11:02, "Håvard Mikkelsen Ottestad" >>><[email protected]> wrote: >>> >>>>Sorry about how that looked. >>>> >>>>Should look like this: >>>>----------------- >>>> >>>>Hi, >>>> >>>>I know that it’s possible to do safe queries with Jena using a >>>>QuerySolution for both update queries and select queries. >>>> >>>>Ex. >>>> >>>>UpdateExecutionFactory >>>> >>>>create(Update update, Dataset dataset, QuerySolution inputBinding) >>>> >>>> >>>> >>>>Is it possible to do something similar when running these queries >>>>against >>>>Fuseki over HTTP? >>>> >>>>My scenario at the moment: Create a user with a username and email >>>>provided by the user. To be safe, for SQL, I would use a prepared >>>>statement. In Jena I would normally use a QuerySolution. >>>> >>>>Regards, >>>>Håvard M. Ottestad >>>> >>>> >>>>----------------- >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>>On 06/01/16 11:42, "Håvard Mikkelsen Ottestad" >>>><[email protected]> wrote: >>>> >>>>>Hi, >>>>> >>>>>I know that it’s possible to do safe queries with Jena using a >>>>>QuerySolution for both update queries and select queries. >>>>> >>>>>Ex. >>>>> >>>>>UpdateExecutionFactory >>>>> >>>>>create<https://jena.apache.org/documentation/javadoc/arq/org/apache/jen >>>>>a/ >>>>>update/UpdateExecutionFactory.html#create-org.apache.jena.update.Update >>>>>-o >>>>>rg.apache.jena.query.Dataset-org.apache.jena.query.QuerySolution->(Upda >>>>>te >>>>><https://jena.apache.org/documentation/javadoc/arq/org/apache/jena/upda >>>>>te >>>>>/Update.html> update, >>>>>Dataset<https://jena.apache.org/documentation/javadoc/arq/org/apache/je >>>>>na >>>>>/query/Dataset.html> >>>>>dataset,QuerySolution<https://jena.apache.org/documentation/javadoc/arq >>>>>/o >>>>>rg/apache/jena/query/QuerySolution.html> inputBinding) >>>>> >>>>>Is it possible to do something similar when running these queries >>>>>against Fuseki over HTTP? >>>>> >>>>>My scenario at the moment: Create a user with a username and email >>>>>provided by the user. To be safe, for SQL, I would use a prepared >>>>>statement. In Jena I would normally use a QuerySolution. >>>>> >>>>>Regards, >>>>>Håvard M. Ottestad >>> >>> >>> >>> > > > >
