Menu
▾
▴
Re: [dotNetRDF-develop] Dotnetrdf-develop Digest, Vol 3, Issue 3
|
From: Alexander S. <ale...@gm...> - 2010-02-26 14:15:16
|
Hi Rob, In general I like the approach you have chosen. But I looked through the sources and haven't found any escaping. What if the literal from your example contains quotation? At the moment I can't tell what symbols exactly should be escaped... but you can look at SqlCommand sources. Also there is some information about it in the presentation (for example, slide 35). Regards, Alexander 2010/2/26 <dot...@li...> > Send Dotnetrdf-develop mailing list submissions to > dot...@li... > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.sourceforge.net/lists/listinfo/dotnetrdf-develop > or, via email, send a message with subject or body 'help' to > dot...@li... > > You can reach the person managing the list at > dot...@li... > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Dotnetrdf-develop digest..." > > > Today's Topics: > > 1. SPARQL escaping helper class (Alexander Sidorov) > 2. Re: SPARQL escaping helper class (Rob Vesse) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Fri, 26 Feb 2010 10:00:11 +0100 > From: Alexander Sidorov <ale...@gm...> > Subject: [dotNetRDF-develop] SPARQL escaping helper class > To: dot...@li... > Message-ID: > <828...@ma...> > Content-Type: text/plain; charset="iso-8859-1" > > Hello! > > I think it would be useful to have a helper class for escaping SPARQL > queries (look this: > http://www.slideshare.net/Morelab/sparqlrdqlsparul-injection). > > Regards, > Alexander > -------------- next part -------------- > An HTML attachment was scrubbed... > > ------------------------------ > > Message: 2 > Date: Fri, 26 Feb 2010 12:00:42 -0000 > From: "Rob Vesse" <ra...@ec...> > Subject: Re: [dotNetRDF-develop] SPARQL escaping helper class > To: "'dotNetRDF Developer Discussion and Feature Request'" > <dot...@li...> > Cc: ale...@gm... > Message-ID: > <EMEW3|6a27e0494e3d986b456109309e7d7fffm1PC0p06rav08r| > ecs.soton.ac.uk|004a01cab6db$522b4160$f681c420$@soton.ac.uk> > > Content-Type: text/plain; charset="us-ascii" > > Hi Alexander > > > > That is an excellent suggestion, I have added a SparqlParameterizedString > class as of revision 631. It takes a base query string with parameters in > the ADO.Net style like so: > > > > SparqlParameterizedString queryString = new > SparqlParameterizedString("SELECT * WHERE {?s a @type}"); > > > > Or you can initialise an empty string and then use the QueryText property > to > get/set/append to the raw query text > > Then there's a variety of methods for setting the parameters (SetLiteral, > SetUri and SetBlankNode) which insert values for the parameters e.g. > > > > queryString.SetUri("type", new Uri("http://example.org/myType")); > > > > The actual value of the query string is returned by the ToString() method, > so for the above example ToString() returns the following: > > > > SELECT * WHERE {?s a <http://example.org/myType>} > > > > If the user was to instead try to inject something by setting a string like > so this wouldn't work, they'd simply get back the entire thing enclosed in > the literal so they can't change the value of the original query. > > > > queryString.SetLiteral("type", "<http://example.org/myType> ; ?prop > ?value"); > > > > Results in: > > > > SELECT * WHERE {?s a "<http://example.org/myType> ; ?prop ?value"} > > > > Take a look and let me know what you think of it - does it do everything > you > need/want it to? > > > > The class is also reusable in that if you set a parameter that has already > been set it just changes the value for that parameter so that next time you > call ToString() you get the query with the new parameter values inserted > i.e. you don't have to instantiate a new instance of the class if you want > to make a query multiple times and substitute in different values each > time. > > > > Thanks, > > Rob > > > > From: Alexander Sidorov [mailto:ale...@gm...] > Sent: 26 February 2010 09:00 > To: dot...@li... > Subject: [dotNetRDF-develop] SPARQL escaping helper class > > > > Hello! > > I think it would be useful to have a helper class for escaping SPARQL > queries (look this: > http://www.slideshare.net/Morelab/sparqlrdqlsparul-injection). > > Regards, > Alexander > > -------------- next part -------------- > An HTML attachment was scrubbed... > > ------------------------------ > > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > > ------------------------------ > > _______________________________________________ > Dotnetrdf-develop mailing list > Dot...@li... > https://lists.sourceforge.net/lists/listinfo/dotnetrdf-develop > > > End of Dotnetrdf-develop Digest, Vol 3, Issue 3 > *********************************************** > |
