Menu
▾
▴
Re: [dotNetRDF-develop] Dotnetrdf-develop Digest, Vol 3, Issue 4
|
From: Alexander S. <ale...@gm...> - 2010-02-26 16:43:35
|
Hi Rob, I like the idea of escaping encapsulation into TurtleWriterContext. I'll check it's escaping capabilities some time later. I didn't understand, why there are so many quotations in your example... SparqlParameterizedString doesn't work with parameters starting with @ (SparqlParameterizedString.ToString method calles replace without checking if parameter starts from @). People who worked with ADO.NET are used to setting full parameter name (@ symbol concatenated with parameter name). For example, SQL Server ADO.NET implementation supports both variations: you can add parameter to collection with or without starting @. I think it would be useful to implement similar behaviour. The shortest solution is the follosing: output = output.Replace(param.StartsWith("@")? "" : "@" + param, this._writerContext.FormatNode(this._parameters[param], Writing.NodeFormat.UncompressedTurtle)); But may be it would be better to look at ADO.NET implementation. Regards, Alexander 2010/2/26 <dot...@li...> > Send Dotnetrdf-develop mailing list submissions to > dot...@li... > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.sourceforge.net/lists/listinfo/dotnetrdf-develop > or, via email, send a message with subject or body 'help' to > dot...@li... > > You can reach the person managing the list at > dot...@li... > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Dotnetrdf-develop digest..." > > > Today's Topics: > > 1. Re: Dotnetrdf-develop Digest, Vol 3, Issue 3 (Alexander Sidorov) > 2. Re: SPARQL Parameterized String (Rob Vesse) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Fri, 26 Feb 2010 14:21:01 +0100 > From: Alexander Sidorov <ale...@gm...> > Subject: Re: [dotNetRDF-develop] Dotnetrdf-develop Digest, Vol 3, > Issue 3 > To: dot...@li... > Message-ID: > <828...@ma...> > Content-Type: text/plain; charset="iso-8859-1" > > Hi Rob, > > In general I like the approach you have chosen. But I looked through the > sources and haven't found any escaping. What if the literal from your > example contains quotation? At the moment I can't tell what symbols exactly > should be escaped... but you can look at SqlCommand sources. Also there is > some information about it in the presentation (for example, slide 35). > > Regards, > Alexander > > 2010/2/26 <dot...@li...> > > > Send Dotnetrdf-develop mailing list submissions to > > dot...@li... > > > > To subscribe or unsubscribe via the World Wide Web, visit > > https://lists.sourceforge.net/lists/listinfo/dotnetrdf-develop > > or, via email, send a message with subject or body 'help' to > > dot...@li... > > > > You can reach the person managing the list at > > dot...@li... > > > > When replying, please edit your Subject line so it is more specific > > than "Re: Contents of Dotnetrdf-develop digest..." > > > > > > Today's Topics: > > > > 1. SPARQL escaping helper class (Alexander Sidorov) > > 2. Re: SPARQL escaping helper class (Rob Vesse) > > > > > > ---------------------------------------------------------------------- > > > > Message: 1 > > Date: Fri, 26 Feb 2010 10:00:11 +0100 > > From: Alexander Sidorov <ale...@gm...> > > Subject: [dotNetRDF-develop] SPARQL escaping helper class > > To: dot...@li... > > Message-ID: > > <828...@ma...> > > Content-Type: text/plain; charset="iso-8859-1" > > > > Hello! > > > > I think it would be useful to have a helper class for escaping SPARQL > > queries (look this: > > http://www.slideshare.net/Morelab/sparqlrdqlsparul-injection). > > > > Regards, > > Alexander > > -------------- next part -------------- > > An HTML attachment was scrubbed... > > > > ------------------------------ > > > > Message: 2 > > Date: Fri, 26 Feb 2010 12:00:42 -0000 > > From: "Rob Vesse" <ra...@ec...> > > Subject: Re: [dotNetRDF-develop] SPARQL escaping helper class > > To: "'dotNetRDF Developer Discussion and Feature Request'" > > <dot...@li...> > > Cc: ale...@gm... > > Message-ID: > > <EMEW3|6a27e0494e3d986b456109309e7d7fffm1PC0p06rav08r| > > ecs.soton.ac.uk|004a01cab6db$522b4160$f681c420$@soton.ac.uk> > > > > Content-Type: text/plain; charset="us-ascii" > > > > Hi Alexander > > > > > > > > That is an excellent suggestion, I have added a SparqlParameterizedString > > class as of revision 631. It takes a base query string with parameters > in > > the ADO.Net style like so: > > > > > > > > SparqlParameterizedString queryString = new > > SparqlParameterizedString("SELECT * WHERE {?s a @type}"); > > > > > > > > Or you can initialise an empty string and then use the QueryText property > > to > > get/set/append to the raw query text > > > > Then there's a variety of methods for setting the parameters (SetLiteral, > > SetUri and SetBlankNode) which insert values for the parameters e.g. > > > > > > > > queryString.SetUri("type", new Uri("http://example.org/myType")); > > > > > > > > The actual value of the query string is returned by the ToString() > method, > > so for the above example ToString() returns the following: > > > > > > > > SELECT * WHERE {?s a <http://example.org/myType>} > > > > > > > > If the user was to instead try to inject something by setting a string > like > > so this wouldn't work, they'd simply get back the entire thing enclosed > in > > the literal so they can't change the value of the original query. > > > > > > > > queryString.SetLiteral("type", "<http://example.org/myType> ; ?prop > > ?value"); > > > > > > > > Results in: > > > > > > > > SELECT * WHERE {?s a "<http://example.org/myType> ; ?prop ?value"} > > > > > > > > Take a look and let me know what you think of it - does it do everything > > you > > need/want it to? > > > > > > > > The class is also reusable in that if you set a parameter that has > already > > been set it just changes the value for that parameter so that next time > you > > call ToString() you get the query with the new parameter values inserted > > i.e. you don't have to instantiate a new instance of the class if you > want > > to make a query multiple times and substitute in different values each > > time. > > > > > > > > Thanks, > > > > Rob > > > > > > > > From: Alexander Sidorov [mailto:ale...@gm...] > > Sent: 26 February 2010 09:00 > > To: dot...@li... > > Subject: [dotNetRDF-develop] SPARQL escaping helper class > > > > > > > > Hello! > > > > I think it would be useful to have a helper class for escaping SPARQL > > queries (look this: > > http://www.slideshare.net/Morelab/sparqlrdqlsparul-injection). > > > > Regards, > > Alexander > > > > -------------- next part -------------- > > An HTML attachment was scrubbed... > > > > ------------------------------ > > > > > > > ------------------------------------------------------------------------------ > > Download Intel® Parallel Studio Eval > > Try the new software tools for yourself. Speed compiling, find bugs > > proactively, and fine-tune applications for parallel performance. > > See why Intel Parallel Studio got high marks during beta. > > http://p.sf.net/sfu/intel-sw-dev > > > > ------------------------------ > > > > _______________________________________________ > > Dotnetrdf-develop mailing list > > Dot...@li... > > https://lists.sourceforge.net/lists/listinfo/dotnetrdf-develop > > > > > > End of Dotnetrdf-develop Digest, Vol 3, Issue 3 > > *********************************************** > > > -------------- next part -------------- > An HTML attachment was scrubbed... > > ------------------------------ > > Message: 2 > Date: Fri, 26 Feb 2010 15:00:36 -0000 > From: "Rob Vesse" <ra...@ec...> > Subject: Re: [dotNetRDF-develop] SPARQL Parameterized String > To: "'dotNetRDF Developer Discussion and Feature Request'" > <dot...@li...> > Message-ID: > <EMEW3|3e15d6d36b0f21d15dcd204abbd6395em1PF0l06rav08r| > ecs.soton.ac.uk|009601cab6f4$741c2f00$5c548d00$@soton.ac.uk> > > Content-Type: text/plain; charset="us-ascii" > > Hi Alexander > > > > For the purposes of standardisation the escaping is handled by the fact > that > the TurtleWriterContext class already does all the escaping we need. If > you > look at the ToString() method you'll see if calls the FormatNode method of > its local instance of this class which outputs the Node as an appropriate > string with escapes as necessary. > > > > It is not necessary to be quite as paranoid as the slides suggest since as > long as we format the value into valid Turtle syntax for the Node then it > will be perfectly safe in a SPARQL query. For example if you were to use a > literal with a quote it would insert it as a long literal in the SPARQL > query e.g. > > > > SparqlParameterizedString queryString = new SparqlParameterizedString(); > > queryString.QueryText = @"PREFIX : <http://example.org/> > > SELECT * WHERE {?s :property @value}"; > > queryString.SetLiteral("value", "This string contains a \" quote > character"); > > > > Results in the following SPARQL string when ToString() is called: > > > > PREFIX : <http://example.org> > > SELECT * WHERE {?s :property """This string contains a " quote > character"""} > > > > Which is a valid long literal and doesn't allow stuff to be injected, even > if Unicode (\u and \U) escapes are used like the slides discuss this > doesn't > matter since the value just remains encoded as part of the string and can't > be used to break out of the quotes and inject stuff into the query. > > > > Rob > > > > From: Alexander Sidorov [mailto:ale...@gm...] > Sent: 26 February 2010 13:21 > To: dot...@li... > Subject: Re: [dotNetRDF-develop] Dotnetrdf-develop Digest, Vol 3, Issue 3 > > > > Hi Rob, > > In general I like the approach you have chosen. But I looked through the > sources and haven't found any escaping. What if the literal from your > example contains quotation? At the moment I can't tell what symbols exactly > should be escaped... but you can look at SqlCommand sources. Also there is > some information about it in the presentation (for example, slide 35). > > Regards, > Alexander > > 2010/2/26 <dot...@li...> > > Send Dotnetrdf-develop mailing list submissions to > dot...@li... > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.sourceforge.net/lists/listinfo/dotnetrdf-develop > or, via email, send a message with subject or body 'help' to > dot...@li... > > You can reach the person managing the list at > dot...@li... > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Dotnetrdf-develop digest..." > > > Today's Topics: > > 1. SPARQL escaping helper class (Alexander Sidorov) > 2. Re: SPARQL escaping helper class (Rob Vesse) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Fri, 26 Feb 2010 10:00:11 +0100 > From: Alexander Sidorov <ale...@gm...> > Subject: [dotNetRDF-develop] SPARQL escaping helper class > To: dot...@li... > Message-ID: > <828...@ma...> > Content-Type: text/plain; charset="iso-8859-1" > > Hello! > > I think it would be useful to have a helper class for escaping SPARQL > queries (look this: > http://www.slideshare.net/Morelab/sparqlrdqlsparul-injection). > > Regards, > Alexander > -------------- next part -------------- > An HTML attachment was scrubbed... > > ------------------------------ > > Message: 2 > Date: Fri, 26 Feb 2010 12:00:42 -0000 > From: "Rob Vesse" <ra...@ec...> > Subject: Re: [dotNetRDF-develop] SPARQL escaping helper class > To: "'dotNetRDF Developer Discussion and Feature Request'" > <dot...@li...> > Cc: ale...@gm... > Message-ID: > > <EMEW3|6a27e0494e3d986b456109309e7d7fffm1PC0p06rav08r|ecs.soton.ac.uk > |004a01 > cab6db$522b4160$f681c420$@soton.ac.uk> > > Content-Type: text/plain; charset="us-ascii" > > Hi Alexander > > > > That is an excellent suggestion, I have added a SparqlParameterizedString > class as of revision 631. It takes a base query string with parameters in > the ADO.Net style like so: > > > > SparqlParameterizedString queryString = new > SparqlParameterizedString("SELECT * WHERE {?s a @type}"); > > > > Or you can initialise an empty string and then use the QueryText property > to > get/set/append to the raw query text > > Then there's a variety of methods for setting the parameters (SetLiteral, > SetUri and SetBlankNode) which insert values for the parameters e.g. > > > > queryString.SetUri("type", new Uri("http://example.org/myType")); > > > > The actual value of the query string is returned by the ToString() method, > so for the above example ToString() returns the following: > > > > SELECT * WHERE {?s a <http://example.org/myType>} > > > > If the user was to instead try to inject something by setting a string like > so this wouldn't work, they'd simply get back the entire thing enclosed in > the literal so they can't change the value of the original query. > > > > queryString.SetLiteral("type", "<http://example.org/myType> ; ?prop > ?value"); > > > > Results in: > > > > SELECT * WHERE {?s a "<http://example.org/myType> ; ?prop ?value"} > > > > Take a look and let me know what you think of it - does it do everything > you > need/want it to? > > > > The class is also reusable in that if you set a parameter that has already > been set it just changes the value for that parameter so that next time you > call ToString() you get the query with the new parameter values inserted > i.e. you don't have to instantiate a new instance of the class if you want > to make a query multiple times and substitute in different values each > time. > > > > Thanks, > > Rob > > > > From: Alexander Sidorov [mailto:ale...@gm...] > Sent: 26 February 2010 09:00 > To: dot...@li... > Subject: [dotNetRDF-develop] SPARQL escaping helper class > > > > Hello! > > I think it would be useful to have a helper class for escaping SPARQL > queries (look this: > http://www.slideshare.net/Morelab/sparqlrdqlsparul-injection). > > Regards, > Alexander > > -------------- next part -------------- > An HTML attachment was scrubbed... > > ------------------------------ > > > ---------------------------------------------------------------------------- > -- > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > > ------------------------------ > > _______________________________________________ > Dotnetrdf-develop mailing list > Dot...@li... > https://lists.sourceforge.net/lists/listinfo/dotnetrdf-develop > > > End of Dotnetrdf-develop Digest, Vol 3, Issue 3 > *********************************************** > > > > -------------- next part -------------- > An HTML attachment was scrubbed... > > ------------------------------ > > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > > ------------------------------ > > _______________________________________________ > Dotnetrdf-develop mailing list > Dot...@li... > https://lists.sourceforge.net/lists/listinfo/dotnetrdf-develop > > > End of Dotnetrdf-develop Digest, Vol 3, Issue 4 > *********************************************** > |
