- From: Steve Harris <steve.harris@garlik.com>
- Date: Fri, 27 Jul 2012 09:41:27 +0100
- To: David Booth <david@dbooth.org>
- Cc: semantic-web <semantic-web@w3.org>
On 2012-07-26, at 21:06, David Booth wrote:
> Thanks to Scott Henninger, Paul Hermans, Bill Roberts, Martynas
> Jusevicius, Gunnar Aastrand Grimnes, Andy Seaborne, Mark Wallace, Graham
> Klyne, James Leigh and Ivan Mikhailov for your comments on SPARQL
> template conventions (a few weeks ago).
>
> There doesn't seem to be any sort of community consensus on preferred
> syntax for indicating parameters in a SPARQL template. Several syntaxes
> were mentioned:
>
> {?foo} %{foo} %2 $foo ${foo}
>
> I decided to be agnostic in the template processor that I wrote for the
> RDF Pipeline Framework, by allowing template authors to specify the
> names of their parameters using a #inputs(...) template directive. Here
> is an example, using all five of the syntaxes above, with parameter
> names separated by whitespace:
>
> #inputs( {?monkey} %{gorilla} %3 $ape ${chimp} )
> SELECT ?s
> WHERE { { ?s a {?monkey} }
> UNION { ?s a %{gorilla} }
> UNION { ?s a %3 }
> UNION { ?s a $ape }
> UNION { ?s a ${chimp} } }
>
> The template processor knows nothing about SPARQL syntax -- it merely
> does blind text substitution -- so this also works:
>
> #inputs( Fred )
> PREFIX foaf: <http://xmlns.com/foaf/0.1/>
> SELECT ?person
> WHERE { ?person foaf:givenName "Fred" }
This makes me very nervous. One of the main reasons for templating (in SQL for e.g.) is for security. People can't be relied upon to correctly escape query strings (and shouldn't be asked to try), and I don't think a non syntax-aware template language can be guaranteed to get the escaping right.
- Steve
--
Steve Harris, CTO
Garlik, a part of Experian
+44 7854 417 874 http://www.garlik.com/
Registered in England and Wales 653331 VAT # 887 1335 93
Registered office: Landmark House, Experian Way, Nottingham, Notts, NG80 1ZZ
Received on Friday, 27 July 2012 08:41:56 UTC