- From: Kjetil Kjernsmo <kjetil@kjernsmo.net>
- Date: Fri, 29 Oct 2010 15:02:34 +0200
- To: public-rdf-dawg-comments@w3.org
All, To avoid SPARQL injection attacks, any user supplied data must be properly escaped, otherwise public schemas will lead to a lot of these: http://xkcd.com/327/ :-) Typically, in the restful graph management protocol, user input will be the graph URI and the payload if they use the suggested queries. Since this is something that many implementors will have to deal with, I think it makes sense for the WG to provide advice on how to do that. Currently, I escape any '>' in the URIs, and serialize any payload to N- triples before using it in the query. I guess that's a starting point, is there anything else that should be done? Best, Kjetil -- Kjetil Kjernsmo kjetil@kjernsmo.net http://www.kjetil.kjernsmo.net/
Received on Friday, 29 October 2010 13:03:11 UTC