- From: Damian Steer <d.steer@bristol.ac.uk>
- Date: Mon, 29 Mar 2010 16:21:21 +0100
- To: angelo.veltens@online.de
- CC: Rob Vesse <rav08r@ecs.soton.ac.uk>, 'Linked Data community' <public-lod@w3.org>, jena-dev@yahoogroups.com
On 29/03/10 15:53, Rob Vesse wrote:
> Forgot to cc to list and to jena-dev
Missed the original post completely. Thanks for ccing to jena-dev.
> Hi all,
>
> my name is Angelo Veltens, i'm studying computer science in germany. I
> am using the jena framework with sdb for a student research project.
>
> I'm just wondering how to prevent sparql injections. It seems to me,
> that i have to build my queries from plain strings and do the sanitizing
> on my own. Isn't there something like prepared statements as in
> SQL/JDBC? This would be less risky.
>
> Kind regards,
> Angelo Veltens
Use the QueryExecutionFactory methods that accept an initial binding: [1]
Query q = QueryFactory.create("select * { ?s ?p ?o }");
QuerySolutionMap qs = new QuerySolutionMap();
qs.add("s", resource); // bind resource to s
QueryExecution qe = QueryExecutionFactory.create(q, dataset, qs);
That's much safer and easier than messing with query strings.
(Unfortunately it doesn't work for remote queries via queryService)
Damian
[1]
<http://jena.sourceforge.net/ARQ/javadoc/com/hp/hpl/jena/query/QueryExecutionFactory.html#create(com.hp.hpl.jena.query.Query,
com.hp.hpl.jena.query.Dataset, com.hp.hpl.jena.query.QuerySolution)>
Received on Monday, 29 March 2010 15:22:23 UTC