W3C home > Mailing lists > Public > public-lod@w3.org > March 2010

Re: Preventing SPARQL injection

From: Damian Steer <d.steer@bristol.ac.uk>
Date: Mon, 29 Mar 2010 16:21:21 +0100
Message-ID: <4BB0C571.7070401@bristol.ac.uk>
To: angelo.veltens@online.de
CC: Rob Vesse <rav08r@ecs.soton.ac.uk>, 'Linked Data community' <public-lod@w3.org>, jena-dev@yahoogroups.com
On 29/03/10 15:53, Rob Vesse wrote:
> Forgot to cc to list and to jena-dev

Missed the original post completely. Thanks for ccing to jena-dev.

> Hi all,
>
> my name is Angelo Veltens, i'm studying computer science in germany. I
> am using the jena framework with sdb for a student research project.
>
> I'm just wondering how to prevent sparql injections. It seems to me,
> that i have to build my queries from plain strings and do the sanitizing
> on my own. Isn't there something like prepared statements as in
> SQL/JDBC? This would be less risky.
>
> Kind regards,
> Angelo Veltens

Use the QueryExecutionFactory methods that accept an initial binding: [1]

Query q = QueryFactory.create("select * { ?s ?p ?o }");

QuerySolutionMap qs = new QuerySolutionMap();
qs.add("s", resource); // bind resource to s

QueryExecution qe = QueryExecutionFactory.create(q, dataset, qs);

That's much safer and easier than messing with query strings.

(Unfortunately it doesn't work for remote queries via queryService)

Damian

[1] 
<http://jena.sourceforge.net/ARQ/javadoc/com/hp/hpl/jena/query/QueryExecutionFactory.html#create(com.hp.hpl.jena.query.Query, 
com.hp.hpl.jena.query.Dataset, com.hp.hpl.jena.query.QuerySolution)>
Received on Monday, 29 March 2010 15:22:23 UTC

This archive was generated by hypermail 2.3.1 : Sunday, 31 March 2013 14:24:25 UTC