Proper escaping of URIs and payload on update operations

All,

To avoid SPARQL injection attacks, any user supplied data must be properly 
escaped, otherwise public schemas will lead to a lot of these:
http://xkcd.com/327/ :-)

Typically, in the restful graph management protocol, user input will be the 
graph URI and the payload if they use the suggested queries. Since this is 
something that many implementors will have to deal with, I think it makes 
sense for the WG to provide advice on how to do that.

Currently, I escape any '>' in the URIs, and serialize any payload to N-
triples before using it in the query. I guess that's a starting point, is 
there anything else that should be done?

Best,

Kjetil
-- 
Kjetil Kjernsmo
kjetil@kjernsmo.net
http://www.kjetil.kjernsmo.net/

Received on Friday, 29 October 2010 13:03:11 UTC