W3C home > Mailing lists > Public > public-rdf-dawg-comments@w3.org > October 2010

Proper escaping of URIs and payload on update operations

From: Kjetil Kjernsmo <kjetil@kjernsmo.net>
Date: Fri, 29 Oct 2010 15:02:34 +0200
To: public-rdf-dawg-comments@w3.org
Message-id: <201010291502.35938.kjetil@kjernsmo.net>
All,

To avoid SPARQL injection attacks, any user supplied data must be properly 
escaped, otherwise public schemas will lead to a lot of these:
http://xkcd.com/327/ :-)

Typically, in the restful graph management protocol, user input will be the 
graph URI and the payload if they use the suggested queries. Since this is 
something that many implementors will have to deal with, I think it makes 
sense for the WG to provide advice on how to do that.

Currently, I escape any '>' in the URIs, and serialize any payload to N-
triples before using it in the query. I guess that's a starting point, is 
there anything else that should be done?

Best,

Kjetil
-- 
Kjetil Kjernsmo
kjetil@kjernsmo.net
http://www.kjetil.kjernsmo.net/
Received on Friday, 29 October 2010 13:03:11 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 29 October 2010 13:03:13 GMT