Hi Alexander
That is an excellent suggestion, I have added a SparqlParameterizedString
class as of revision 631. It takes a base query string with parameters in
the ADO.Net style like so:
SparqlParameterizedString queryString = new
SparqlParameterizedString("SELECT * WHERE {?s a @type}");
Or you can initialise an empty string and then use the QueryText property to
get/set/append to the raw query text
Then there's a variety of methods for setting the parameters (SetLiteral,
SetUri and SetBlankNode) which insert values for the parameters e.g.
queryString.SetUri("type", new Uri("http://example.org/myType"));
The actual value of the query string is returned by the ToString() method,
so for the above example ToString() returns the following:
SELECT * WHERE {?s a <http://example.org/myType>}
If the user was to instead try to inject something by setting a string like
so this wouldn't work, they'd simply get back the entire thing enclosed in
the literal so they can't change the value of the original query.
queryString.SetLiteral("type", "<http://example.org/myType> ; ?prop
?value");
Results in:
SELECT * WHERE {?s a "<http://example.org/myType> ; ?prop ?value"}
Take a look and let me know what you think of it - does it do everything you
need/want it to?
The class is also reusable in that if you set a parameter that has already
been set it just changes the value for that parameter so that next time you
call ToString() you get the query with the new parameter values inserted
i.e. you don't have to instantiate a new instance of the class if you want
to make a query multiple times and substitute in different values each time.
Thanks,
Rob
From: Alexander Sidorov [mailto:ale...@gm...]
Sent: 26 February 2010 09:00
To: dot...@li...
Subject: [dotNetRDF-develop] SPARQL escaping helper class
Hello!
I think it would be useful to have a helper class for escaping SPARQL
queries (look this:
http://www.slideshare.net/Morelab/sparqlrdqlsparul-injection).
Regards,
Alexander
|
