W3C home > Mailing lists > Public > public-lod@w3.org > March 2010

Re: Preventing SPARQL injection

From: Kingsley Idehen <kidehen@openlinksw.com>
Date: Mon, 29 Mar 2010 14:16:47 -0400
Message-ID: <4BB0EE8F.8010901@openlinksw.com>
To: Angelo Veltens <angelo.veltens@online.de>
CC: "public-lod@w3.org" <public-lod@w3.org>
Angelo Veltens wrote:
> Hi all,
> my name is Angelo Veltens, i'm studying computer science in germany. I
> am using the jena framework with sdb for a student research project.
> I'm just wondering how to prevent sparql injections. It seems to me,
> that i have to build my queries from plain strings and do the sanitizing
> on my own. Isn't there something like prepared statements as in
> SQL/JDBC? This would be less risky.
> Kind regards,
> Angelo Veltens
The server should have the ability to control who can do what with SPARQL.

If you put SPARQL endpoints behind FOAF+SSL (for instance) and also use 
ACLs at the Graph IRI level, the vulnerability is blocked (bar stealing 
your machine and getting locating your private key).



Kingsley Idehen	      
President & CEO 
OpenLink Software     
Web: http://www.openlinksw.com
Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter/Identi.ca: kidehen 
Received on Monday, 29 March 2010 18:17:16 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 16:20:58 UTC