Menu
▾
▴
Re: [dotNetRDF-develop] Dotnetrdf-develop Digest, Vol 3, Issue 4
|
From: Alexander S. <ale...@gm...> - 2010-02-26 16:43:35
|
Hi Rob,
I like the idea of escaping encapsulation into TurtleWriterContext. I'll
check it's escaping capabilities some time later.
I didn't understand, why there are so many quotations in your example...
SparqlParameterizedString doesn't work with parameters starting with @
(SparqlParameterizedString.ToString method calles replace without checking
if parameter starts from @). People who worked with ADO.NET are used to
setting full parameter name (@ symbol concatenated with parameter name). For
example, SQL Server ADO.NET implementation supports both variations: you can
add parameter to collection with or without starting @. I think it would be
useful to implement similar behaviour. The shortest solution is the
follosing:
output = output.Replace(param.StartsWith("@")? "" : "@" + param,
this._writerContext.FormatNode(this._parameters[param],
Writing.NodeFormat.UncompressedTurtle));
But may be it would be better to look at ADO.NET implementation.
Regards,
Alexander
2010/2/26 <dot...@li...>
> Send Dotnetrdf-develop mailing list submissions to
> dot...@li...
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.sourceforge.net/lists/listinfo/dotnetrdf-develop
> or, via email, send a message with subject or body 'help' to
> dot...@li...
>
> You can reach the person managing the list at
> dot...@li...
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Dotnetrdf-develop digest..."
>
>
> Today's Topics:
>
> 1. Re: Dotnetrdf-develop Digest, Vol 3, Issue 3 (Alexander Sidorov)
> 2. Re: SPARQL Parameterized String (Rob Vesse)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 26 Feb 2010 14:21:01 +0100
> From: Alexander Sidorov <ale...@gm...>
> Subject: Re: [dotNetRDF-develop] Dotnetrdf-develop Digest, Vol 3,
> Issue 3
> To: dot...@li...
> Message-ID:
> <828...@ma...>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hi Rob,
>
> In general I like the approach you have chosen. But I looked through the
> sources and haven't found any escaping. What if the literal from your
> example contains quotation? At the moment I can't tell what symbols exactly
> should be escaped... but you can look at SqlCommand sources. Also there is
> some information about it in the presentation (for example, slide 35).
>
> Regards,
> Alexander
>
> 2010/2/26 <dot...@li...>
>
> > Send Dotnetrdf-develop mailing list submissions to
> > dot...@li...
> >
> > To subscribe or unsubscribe via the World Wide Web, visit
> > https://lists.sourceforge.net/lists/listinfo/dotnetrdf-develop
> > or, via email, send a message with subject or body 'help' to
> > dot...@li...
> >
> > You can reach the person managing the list at
> > dot...@li...
> >
> > When replying, please edit your Subject line so it is more specific
> > than "Re: Contents of Dotnetrdf-develop digest..."
> >
> >
> > Today's Topics:
> >
> > 1. SPARQL escaping helper class (Alexander Sidorov)
> > 2. Re: SPARQL escaping helper class (Rob Vesse)
> >
> >
> > ----------------------------------------------------------------------
> >
> > Message: 1
> > Date: Fri, 26 Feb 2010 10:00:11 +0100
> > From: Alexander Sidorov <ale...@gm...>
> > Subject: [dotNetRDF-develop] SPARQL escaping helper class
> > To: dot...@li...
> > Message-ID:
> > <828...@ma...>
> > Content-Type: text/plain; charset="iso-8859-1"
> >
> > Hello!
> >
> > I think it would be useful to have a helper class for escaping SPARQL
> > queries (look this:
> > http://www.slideshare.net/Morelab/sparqlrdqlsparul-injection).
> >
> > Regards,
> > Alexander
> > -------------- next part --------------
> > An HTML attachment was scrubbed...
> >
> > ------------------------------
> >
> > Message: 2
> > Date: Fri, 26 Feb 2010 12:00:42 -0000
> > From: "Rob Vesse" <ra...@ec...>
> > Subject: Re: [dotNetRDF-develop] SPARQL escaping helper class
> > To: "'dotNetRDF Developer Discussion and Feature Request'"
> > <dot...@li...>
> > Cc: ale...@gm...
> > Message-ID:
> > <EMEW3|6a27e0494e3d986b456109309e7d7fffm1PC0p06rav08r|
> > ecs.soton.ac.uk|004a01cab6db$522b4160$f681c420$@soton.ac.uk>
> >
> > Content-Type: text/plain; charset="us-ascii"
> >
> > Hi Alexander
> >
> >
> >
> > That is an excellent suggestion, I have added a SparqlParameterizedString
> > class as of revision 631. It takes a base query string with parameters
> in
> > the ADO.Net style like so:
> >
> >
> >
> > SparqlParameterizedString queryString = new
> > SparqlParameterizedString("SELECT * WHERE {?s a @type}");
> >
> >
> >
> > Or you can initialise an empty string and then use the QueryText property
> > to
> > get/set/append to the raw query text
> >
> > Then there's a variety of methods for setting the parameters (SetLiteral,
> > SetUri and SetBlankNode) which insert values for the parameters e.g.
> >
> >
> >
> > queryString.SetUri("type", new Uri("http://example.org/myType"));
> >
> >
> >
> > The actual value of the query string is returned by the ToString()
> method,
> > so for the above example ToString() returns the following:
> >
> >
> >
> > SELECT * WHERE {?s a <http://example.org/myType>}
> >
> >
> >
> > If the user was to instead try to inject something by setting a string
> like
> > so this wouldn't work, they'd simply get back the entire thing enclosed
> in
> > the literal so they can't change the value of the original query.
> >
> >
> >
> > queryString.SetLiteral("type", "<http://example.org/myType> ; ?prop
> > ?value");
> >
> >
> >
> > Results in:
> >
> >
> >
> > SELECT * WHERE {?s a "<http://example.org/myType> ; ?prop ?value"}
> >
> >
> >
> > Take a look and let me know what you think of it - does it do everything
> > you
> > need/want it to?
> >
> >
> >
> > The class is also reusable in that if you set a parameter that has
> already
> > been set it just changes the value for that parameter so that next time
> you
> > call ToString() you get the query with the new parameter values inserted
> > i.e. you don't have to instantiate a new instance of the class if you
> want
> > to make a query multiple times and substitute in different values each
> > time.
> >
> >
> >
> > Thanks,
> >
> > Rob
> >
> >
> >
> > From: Alexander Sidorov [mailto:ale...@gm...]
> > Sent: 26 February 2010 09:00
> > To: dot...@li...
> > Subject: [dotNetRDF-develop] SPARQL escaping helper class
> >
> >
> >
> > Hello!
> >
> > I think it would be useful to have a helper class for escaping SPARQL
> > queries (look this:
> > http://www.slideshare.net/Morelab/sparqlrdqlsparul-injection).
> >
> > Regards,
> > Alexander
> >
> > -------------- next part --------------
> > An HTML attachment was scrubbed...
> >
> > ------------------------------
> >
> >
> >
> ------------------------------------------------------------------------------
> > Download Intel® Parallel Studio Eval
> > Try the new software tools for yourself. Speed compiling, find bugs
> > proactively, and fine-tune applications for parallel performance.
> > See why Intel Parallel Studio got high marks during beta.
> > http://p.sf.net/sfu/intel-sw-dev
> >
> > ------------------------------
> >
> > _______________________________________________
> > Dotnetrdf-develop mailing list
> > Dot...@li...
> > https://lists.sourceforge.net/lists/listinfo/dotnetrdf-develop
> >
> >
> > End of Dotnetrdf-develop Digest, Vol 3, Issue 3
> > ***********************************************
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
>
> Message: 2
> Date: Fri, 26 Feb 2010 15:00:36 -0000
> From: "Rob Vesse" <ra...@ec...>
> Subject: Re: [dotNetRDF-develop] SPARQL Parameterized String
> To: "'dotNetRDF Developer Discussion and Feature Request'"
> <dot...@li...>
> Message-ID:
> <EMEW3|3e15d6d36b0f21d15dcd204abbd6395em1PF0l06rav08r|
> ecs.soton.ac.uk|009601cab6f4$741c2f00$5c548d00$@soton.ac.uk>
>
> Content-Type: text/plain; charset="us-ascii"
>
> Hi Alexander
>
>
>
> For the purposes of standardisation the escaping is handled by the fact
> that
> the TurtleWriterContext class already does all the escaping we need. If
> you
> look at the ToString() method you'll see if calls the FormatNode method of
> its local instance of this class which outputs the Node as an appropriate
> string with escapes as necessary.
>
>
>
> It is not necessary to be quite as paranoid as the slides suggest since as
> long as we format the value into valid Turtle syntax for the Node then it
> will be perfectly safe in a SPARQL query. For example if you were to use a
> literal with a quote it would insert it as a long literal in the SPARQL
> query e.g.
>
>
>
> SparqlParameterizedString queryString = new SparqlParameterizedString();
>
> queryString.QueryText = @"PREFIX : <http://example.org/>
>
> SELECT * WHERE {?s :property @value}";
>
> queryString.SetLiteral("value", "This string contains a \" quote
> character");
>
>
>
> Results in the following SPARQL string when ToString() is called:
>
>
>
> PREFIX : <http://example.org>
>
> SELECT * WHERE {?s :property """This string contains a " quote
> character"""}
>
>
>
> Which is a valid long literal and doesn't allow stuff to be injected, even
> if Unicode (\u and \U) escapes are used like the slides discuss this
> doesn't
> matter since the value just remains encoded as part of the string and can't
> be used to break out of the quotes and inject stuff into the query.
>
>
>
> Rob
>
>
>
> From: Alexander Sidorov [mailto:ale...@gm...]
> Sent: 26 February 2010 13:21
> To: dot...@li...
> Subject: Re: [dotNetRDF-develop] Dotnetrdf-develop Digest, Vol 3, Issue 3
>
>
>
> Hi Rob,
>
> In general I like the approach you have chosen. But I looked through the
> sources and haven't found any escaping. What if the literal from your
> example contains quotation? At the moment I can't tell what symbols exactly
> should be escaped... but you can look at SqlCommand sources. Also there is
> some information about it in the presentation (for example, slide 35).
>
> Regards,
> Alexander
>
> 2010/2/26 <dot...@li...>
>
> Send Dotnetrdf-develop mailing list submissions to
> dot...@li...
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.sourceforge.net/lists/listinfo/dotnetrdf-develop
> or, via email, send a message with subject or body 'help' to
> dot...@li...
>
> You can reach the person managing the list at
> dot...@li...
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Dotnetrdf-develop digest..."
>
>
> Today's Topics:
>
> 1. SPARQL escaping helper class (Alexander Sidorov)
> 2. Re: SPARQL escaping helper class (Rob Vesse)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 26 Feb 2010 10:00:11 +0100
> From: Alexander Sidorov <ale...@gm...>
> Subject: [dotNetRDF-develop] SPARQL escaping helper class
> To: dot...@li...
> Message-ID:
> <828...@ma...>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hello!
>
> I think it would be useful to have a helper class for escaping SPARQL
> queries (look this:
> http://www.slideshare.net/Morelab/sparqlrdqlsparul-injection).
>
> Regards,
> Alexander
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
>
> Message: 2
> Date: Fri, 26 Feb 2010 12:00:42 -0000
> From: "Rob Vesse" <ra...@ec...>
> Subject: Re: [dotNetRDF-develop] SPARQL escaping helper class
> To: "'dotNetRDF Developer Discussion and Feature Request'"
> <dot...@li...>
> Cc: ale...@gm...
> Message-ID:
>
> <EMEW3|6a27e0494e3d986b456109309e7d7fffm1PC0p06rav08r|ecs.soton.ac.uk
> |004a01
> cab6db$522b4160$f681c420$@soton.ac.uk>
>
> Content-Type: text/plain; charset="us-ascii"
>
> Hi Alexander
>
>
>
> That is an excellent suggestion, I have added a SparqlParameterizedString
> class as of revision 631. It takes a base query string with parameters in
> the ADO.Net style like so:
>
>
>
> SparqlParameterizedString queryString = new
> SparqlParameterizedString("SELECT * WHERE {?s a @type}");
>
>
>
> Or you can initialise an empty string and then use the QueryText property
> to
> get/set/append to the raw query text
>
> Then there's a variety of methods for setting the parameters (SetLiteral,
> SetUri and SetBlankNode) which insert values for the parameters e.g.
>
>
>
> queryString.SetUri("type", new Uri("http://example.org/myType"));
>
>
>
> The actual value of the query string is returned by the ToString() method,
> so for the above example ToString() returns the following:
>
>
>
> SELECT * WHERE {?s a <http://example.org/myType>}
>
>
>
> If the user was to instead try to inject something by setting a string like
> so this wouldn't work, they'd simply get back the entire thing enclosed in
> the literal so they can't change the value of the original query.
>
>
>
> queryString.SetLiteral("type", "<http://example.org/myType> ; ?prop
> ?value");
>
>
>
> Results in:
>
>
>
> SELECT * WHERE {?s a "<http://example.org/myType> ; ?prop ?value"}
>
>
>
> Take a look and let me know what you think of it - does it do everything
> you
> need/want it to?
>
>
>
> The class is also reusable in that if you set a parameter that has already
> been set it just changes the value for that parameter so that next time you
> call ToString() you get the query with the new parameter values inserted
> i.e. you don't have to instantiate a new instance of the class if you want
> to make a query multiple times and substitute in different values each
> time.
>
>
>
> Thanks,
>
> Rob
>
>
>
> From: Alexander Sidorov [mailto:ale...@gm...]
> Sent: 26 February 2010 09:00
> To: dot...@li...
> Subject: [dotNetRDF-develop] SPARQL escaping helper class
>
>
>
> Hello!
>
> I think it would be useful to have a helper class for escaping SPARQL
> queries (look this:
> http://www.slideshare.net/Morelab/sparqlrdqlsparul-injection).
>
> Regards,
> Alexander
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
>
>
> ----------------------------------------------------------------------------
> --
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
>
> ------------------------------
>
> _______________________________________________
> Dotnetrdf-develop mailing list
> Dot...@li...
> https://lists.sourceforge.net/lists/listinfo/dotnetrdf-develop
>
>
> End of Dotnetrdf-develop Digest, Vol 3, Issue 3
> ***********************************************
>
>
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
>
>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
>
> ------------------------------
>
> _______________________________________________
> Dotnetrdf-develop mailing list
> Dot...@li...
> https://lists.sourceforge.net/lists/listinfo/dotnetrdf-develop
>
>
> End of Dotnetrdf-develop Digest, Vol 3, Issue 4
> ***********************************************
>
|
