Thank you Claude. VALUES would be useful, the problem however is that in order
to build a query, I'm still required to concatenate strings and dealing with
insecure input. For example if I want this query
select *
where {
VALUES ?user { "laura" }
$sbj ex:username ?user ;
ex:password ?pwd .
}
the way I'm dealing with it so far is (Python example)
query = '
select *
where {
VALUES ?user { "' + name + '" }
$sbj ex:username ?user ;
ex:password ?pwd .
}'
the problem is that if somebody gives me a username like this: " "bob"
the actual query string becomes
select *
where {
VALUES ?user { "" "bob" }
$sbj ex:username ?user ;
ex:password ?pwd .
}
which looks to me like an injection attack. I've dealt with it by escaping
quotes myself, but it's very hackish and I was hoping there was a way to
automatically deal with securing user input.
Sent: Monday, March 26, 2018 at 10:05 AM
From: "Claude Warren" <cla...@xenei.com>
To: users@jena.apache.org
Subject: Re: Parameterized queries
I don't know about escaping the values but there are 2 constructs that
might help you.
One is VALUES https://www.w3.org/TR/sparql11-query/#inline-data
query="select * where { VALUES ?sbj {
<http://example.org/Alice[http://example.org/Alice]>
<http://example.org/Bob[http://example.org/Bob]
<http://example.org/Alice[http://example.org/Alice]>> } $sbj a [] }"
and the other is IN
https://www.w3.org/TR/sparql11-query/#func-in[https://www.w3.org/TR/sparql11-query/#func-in]
query="select * where { $sbj a []. FILTER( $sbj in ( <
http://example.org/Alice[http://example.org/Alice]>,
<http://example.org/Bob[http://example.org/Bob]
<http://example.org/Alice[http://example.org/Alice]>> )}"
I suspect VALUES will serve you better as it can handle multiple parameters
and I think it is slightly more efficient in filtering the data stream
(though I could be wrong here).
Claude
On Mon, Mar 26, 2018 at 8:30 AM, Laura Morales <laure...@mail.com> wrote:
> Is it possible to send a parameterized query to fuseki? I mean sending a
> query along with a list of parameters, more or less like this
>
> format=json
> query="select * where { $sbj a [] }"
> sbj="<http://example.org/Alice[http://example.org/Alice]>"
>
> similar to SQL parameterized queries, where parameters are automatically
> escaped in order to prevent injection attacks.
>
> I know this would be more of a client issue than server, but I can't find
> any library that does this, so I was wondering if Fuseki has anything like
> this built in. In particular, I'd need a library for Python. Do you guys
> know any by chance?
>
--
I like: Like Like - The likeliest place on the web
<http://like-like.xenei.com[http://like-like.xenei.com]>
LinkedIn:
http://www.linkedin.com/in/claudewarren[http://www.linkedin.com/in/claudewarren]
