Menu
▾
▴
Re: [dotNetRDF-develop] SPARQL Parameterized String
|
From: Rob V. <ra...@ec...> - 2010-02-26 15:01:13
|
Hi Alexander For the purposes of standardisation the escaping is handled by the fact that the TurtleWriterContext class already does all the escaping we need. If you look at the ToString() method you'll see if calls the FormatNode method of its local instance of this class which outputs the Node as an appropriate string with escapes as necessary. It is not necessary to be quite as paranoid as the slides suggest since as long as we format the value into valid Turtle syntax for the Node then it will be perfectly safe in a SPARQL query. For example if you were to use a literal with a quote it would insert it as a long literal in the SPARQL query e.g. SparqlParameterizedString queryString = new SparqlParameterizedString(); queryString.QueryText = @"PREFIX : <http://example.org/> SELECT * WHERE {?s :property @value}"; queryString.SetLiteral("value", "This string contains a \" quote character"); Results in the following SPARQL string when ToString() is called: PREFIX : <http://example.org> SELECT * WHERE {?s :property """This string contains a " quote character"""} Which is a valid long literal and doesn't allow stuff to be injected, even if Unicode (\u and \U) escapes are used like the slides discuss this doesn't matter since the value just remains encoded as part of the string and can't be used to break out of the quotes and inject stuff into the query. Rob From: Alexander Sidorov [mailto:ale...@gm...] Sent: 26 February 2010 13:21 To: dot...@li... Subject: Re: [dotNetRDF-develop] Dotnetrdf-develop Digest, Vol 3, Issue 3 Hi Rob, In general I like the approach you have chosen. But I looked through the sources and haven't found any escaping. What if the literal from your example contains quotation? At the moment I can't tell what symbols exactly should be escaped... but you can look at SqlCommand sources. Also there is some information about it in the presentation (for example, slide 35). Regards, Alexander 2010/2/26 <dot...@li...> Send Dotnetrdf-develop mailing list submissions to dot...@li... To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/dotnetrdf-develop or, via email, send a message with subject or body 'help' to dot...@li... You can reach the person managing the list at dot...@li... When replying, please edit your Subject line so it is more specific than "Re: Contents of Dotnetrdf-develop digest..." Today's Topics: 1. SPARQL escaping helper class (Alexander Sidorov) 2. Re: SPARQL escaping helper class (Rob Vesse) ---------------------------------------------------------------------- Message: 1 Date: Fri, 26 Feb 2010 10:00:11 +0100 From: Alexander Sidorov <ale...@gm...> Subject: [dotNetRDF-develop] SPARQL escaping helper class To: dot...@li... Message-ID: <828...@ma...> Content-Type: text/plain; charset="iso-8859-1" Hello! I think it would be useful to have a helper class for escaping SPARQL queries (look this: http://www.slideshare.net/Morelab/sparqlrdqlsparul-injection). Regards, Alexander -------------- next part -------------- An HTML attachment was scrubbed... ------------------------------ Message: 2 Date: Fri, 26 Feb 2010 12:00:42 -0000 From: "Rob Vesse" <ra...@ec...> Subject: Re: [dotNetRDF-develop] SPARQL escaping helper class To: "'dotNetRDF Developer Discussion and Feature Request'" <dot...@li...> Cc: ale...@gm... Message-ID: <EMEW3|6a27e0494e3d986b456109309e7d7fffm1PC0p06rav08r|ecs.soton.ac.uk|004a01 cab6db$522b4160$f681c420$@soton.ac.uk> Content-Type: text/plain; charset="us-ascii" Hi Alexander That is an excellent suggestion, I have added a SparqlParameterizedString class as of revision 631. It takes a base query string with parameters in the ADO.Net style like so: SparqlParameterizedString queryString = new SparqlParameterizedString("SELECT * WHERE {?s a @type}"); Or you can initialise an empty string and then use the QueryText property to get/set/append to the raw query text Then there's a variety of methods for setting the parameters (SetLiteral, SetUri and SetBlankNode) which insert values for the parameters e.g. queryString.SetUri("type", new Uri("http://example.org/myType")); The actual value of the query string is returned by the ToString() method, so for the above example ToString() returns the following: SELECT * WHERE {?s a <http://example.org/myType>} If the user was to instead try to inject something by setting a string like so this wouldn't work, they'd simply get back the entire thing enclosed in the literal so they can't change the value of the original query. queryString.SetLiteral("type", "<http://example.org/myType> ; ?prop ?value"); Results in: SELECT * WHERE {?s a "<http://example.org/myType> ; ?prop ?value"} Take a look and let me know what you think of it - does it do everything you need/want it to? The class is also reusable in that if you set a parameter that has already been set it just changes the value for that parameter so that next time you call ToString() you get the query with the new parameter values inserted i.e. you don't have to instantiate a new instance of the class if you want to make a query multiple times and substitute in different values each time. Thanks, Rob From: Alexander Sidorov [mailto:ale...@gm...] Sent: 26 February 2010 09:00 To: dot...@li... Subject: [dotNetRDF-develop] SPARQL escaping helper class Hello! I think it would be useful to have a helper class for escaping SPARQL queries (look this: http://www.slideshare.net/Morelab/sparqlrdqlsparul-injection). Regards, Alexander -------------- next part -------------- An HTML attachment was scrubbed... ------------------------------ ---------------------------------------------------------------------------- -- Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev ------------------------------ _______________________________________________ Dotnetrdf-develop mailing list Dot...@li... https://lists.sourceforge.net/lists/listinfo/dotnetrdf-develop End of Dotnetrdf-develop Digest, Vol 3, Issue 3 *********************************************** |
