Menu
▾
▴
Re: [dotNetRDF-develop] SPARQL Parameterized String
|
From: Rob V. <ra...@ec...> - 2010-02-26 17:13:53
|
Hi Alexander
There were lots of quotes in the example since it was a long literal,
actually think in reality it would just escape the quote as a \" rather than
generating a long literal.
Have changed SparqlParameterizedString in revision 635 so it accepts
parameter names with/without the @ at the start. Made the change in the
SetParameter() function where I insert the values into the parameter
dictionary instead of the ToString() method since I prefer to store the
parameter names without the @ on the front since it's implicit in the fact
that it's a parameter.
Rob
From: Alexander Sidorov [mailto:ale...@gm...]
Sent: 26 February 2010 16:43
To: dot...@li...
Subject: Re: [dotNetRDF-develop] Dotnetrdf-develop Digest, Vol 3, Issue 4
Hi Rob,
I like the idea of escaping encapsulation into TurtleWriterContext. I'll
check it's escaping capabilities some time later.
I didn't understand, why there are so many quotations in your example...
SparqlParameterizedString doesn't work with parameters starting with @
(SparqlParameterizedString.ToString method calles replace without checking
if parameter starts from @). People who worked with ADO.NET are used to
setting full parameter name (@ symbol concatenated with parameter name). For
example, SQL Server ADO.NET implementation supports both variations: you can
add parameter to collection with or without starting @. I think it would be
useful to implement similar behaviour. The shortest solution is the
follosing:
output = output.Replace(param.StartsWith("@")? "" : "@" + param,
this._writerContext.FormatNode(this._parameters[param],
Writing.NodeFormat.UncompressedTurtle));
But may be it would be better to look at ADO.NET implementation.
Regards,
Alexander
2010/2/26 <dot...@li...>
Send Dotnetrdf-develop mailing list submissions to
dot...@li...
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/dotnetrdf-develop
or, via email, send a message with subject or body 'help' to
dot...@li...
You can reach the person managing the list at
dot...@li...
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Dotnetrdf-develop digest..."
Today's Topics:
1. Re: Dotnetrdf-develop Digest, Vol 3, Issue 3 (Alexander Sidorov)
2. Re: SPARQL Parameterized String (Rob Vesse)
----------------------------------------------------------------------
Message: 1
Date: Fri, 26 Feb 2010 14:21:01 +0100
From: Alexander Sidorov <ale...@gm...>
Subject: Re: [dotNetRDF-develop] Dotnetrdf-develop Digest, Vol 3,
Issue 3
To: dot...@li...
Message-ID:
<828...@ma...>
Content-Type: text/plain; charset="iso-8859-1"
Hi Rob,
In general I like the approach you have chosen. But I looked through the
sources and haven't found any escaping. What if the literal from your
example contains quotation? At the moment I can't tell what symbols exactly
should be escaped... but you can look at SqlCommand sources. Also there is
some information about it in the presentation (for example, slide 35).
Regards,
Alexander
2010/2/26 <dot...@li...>
> Send Dotnetrdf-develop mailing list submissions to
> dot...@li...
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.sourceforge.net/lists/listinfo/dotnetrdf-develop
> or, via email, send a message with subject or body 'help' to
> dot...@li...
>
> You can reach the person managing the list at
> dot...@li...
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Dotnetrdf-develop digest..."
>
>
> Today's Topics:
>
> 1. SPARQL escaping helper class (Alexander Sidorov)
> 2. Re: SPARQL escaping helper class (Rob Vesse)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 26 Feb 2010 10:00:11 +0100
> From: Alexander Sidorov <ale...@gm...>
> Subject: [dotNetRDF-develop] SPARQL escaping helper class
> To: dot...@li...
> Message-ID:
> <828...@ma...>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hello!
>
> I think it would be useful to have a helper class for escaping SPARQL
> queries (look this:
> http://www.slideshare.net/Morelab/sparqlrdqlsparul-injection).
>
> Regards,
> Alexander
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
>
> Message: 2
> Date: Fri, 26 Feb 2010 12:00:42 -0000
> From: "Rob Vesse" <ra...@ec...>
> Subject: Re: [dotNetRDF-develop] SPARQL escaping helper class
> To: "'dotNetRDF Developer Discussion and Feature Request'"
> <dot...@li...>
> Cc: ale...@gm...
> Message-ID:
> <EMEW3|6a27e0494e3d986b456109309e7d7fffm1PC0p06rav08r|
> ecs.soton.ac.uk|004a01cab6db$522b4160$f681c420$@soton.ac.uk>
>
> Content-Type: text/plain; charset="us-ascii"
>
> Hi Alexander
>
>
>
> That is an excellent suggestion, I have added a SparqlParameterizedString
> class as of revision 631. It takes a base query string with parameters in
> the ADO.Net style like so:
>
>
>
> SparqlParameterizedString queryString = new
> SparqlParameterizedString("SELECT * WHERE {?s a @type}");
>
>
>
> Or you can initialise an empty string and then use the QueryText property
> to
> get/set/append to the raw query text
>
> Then there's a variety of methods for setting the parameters (SetLiteral,
> SetUri and SetBlankNode) which insert values for the parameters e.g.
>
>
>
> queryString.SetUri("type", new Uri("http://example.org/myType"));
>
>
>
> The actual value of the query string is returned by the ToString() method,
> so for the above example ToString() returns the following:
>
>
>
> SELECT * WHERE {?s a <http://example.org/myType>}
>
>
>
> If the user was to instead try to inject something by setting a string
like
> so this wouldn't work, they'd simply get back the entire thing enclosed in
> the literal so they can't change the value of the original query.
>
>
>
> queryString.SetLiteral("type", "<http://example.org/myType> ; ?prop
> ?value");
>
>
>
> Results in:
>
>
>
> SELECT * WHERE {?s a "<http://example.org/myType> ; ?prop ?value"}
>
>
>
> Take a look and let me know what you think of it - does it do everything
> you
> need/want it to?
>
>
>
> The class is also reusable in that if you set a parameter that has already
> been set it just changes the value for that parameter so that next time
you
> call ToString() you get the query with the new parameter values inserted
> i.e. you don't have to instantiate a new instance of the class if you want
> to make a query multiple times and substitute in different values each
> time.
>
>
>
> Thanks,
>
> Rob
>
>
>
> From: Alexander Sidorov [mailto:ale...@gm...]
> Sent: 26 February 2010 09:00
> To: dot...@li...
> Subject: [dotNetRDF-develop] SPARQL escaping helper class
>
>
>
> Hello!
>
> I think it would be useful to have a helper class for escaping SPARQL
> queries (look this:
> http://www.slideshare.net/Morelab/sparqlrdqlsparul-injection).
>
> Regards,
> Alexander
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
>
>
>
----------------------------------------------------------------------------
--
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
>
> ------------------------------
>
> _______________________________________________
> Dotnetrdf-develop mailing list
> Dot...@li...
> https://lists.sourceforge.net/lists/listinfo/dotnetrdf-develop
>
>
> End of Dotnetrdf-develop Digest, Vol 3, Issue 3
> ***********************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
------------------------------
Message: 2
Date: Fri, 26 Feb 2010 15:00:36 -0000
From: "Rob Vesse" <ra...@ec...>
Subject: Re: [dotNetRDF-develop] SPARQL Parameterized String
To: "'dotNetRDF Developer Discussion and Feature Request'"
<dot...@li...>
Message-ID:
<EMEW3|3e15d6d36b0f21d15dcd204abbd6395em1PF0l06rav08r|ecs.soton.ac.uk|009601
cab6f4$741c2f00$5c548d00$@soton.ac.uk>
Content-Type: text/plain; charset="us-ascii"
Hi Alexander
For the purposes of standardisation the escaping is handled by the fact that
the TurtleWriterContext class already does all the escaping we need. If you
look at the ToString() method you'll see if calls the FormatNode method of
its local instance of this class which outputs the Node as an appropriate
string with escapes as necessary.
It is not necessary to be quite as paranoid as the slides suggest since as
long as we format the value into valid Turtle syntax for the Node then it
will be perfectly safe in a SPARQL query. For example if you were to use a
literal with a quote it would insert it as a long literal in the SPARQL
query e.g.
SparqlParameterizedString queryString = new SparqlParameterizedString();
queryString.QueryText = @"PREFIX : <http://example.org/>
SELECT * WHERE {?s :property @value}";
queryString.SetLiteral("value", "This string contains a \" quote
character");
Results in the following SPARQL string when ToString() is called:
PREFIX : <http://example.org>
SELECT * WHERE {?s :property """This string contains a " quote character"""}
Which is a valid long literal and doesn't allow stuff to be injected, even
if Unicode (\u and \U) escapes are used like the slides discuss this doesn't
matter since the value just remains encoded as part of the string and can't
be used to break out of the quotes and inject stuff into the query.
Rob
From: Alexander Sidorov [mailto:ale...@gm...]
Sent: 26 February 2010 13:21
To: dot...@li...
Subject: Re: [dotNetRDF-develop] Dotnetrdf-develop Digest, Vol 3, Issue 3
Hi Rob,
In general I like the approach you have chosen. But I looked through the
sources and haven't found any escaping. What if the literal from your
example contains quotation? At the moment I can't tell what symbols exactly
should be escaped... but you can look at SqlCommand sources. Also there is
some information about it in the presentation (for example, slide 35).
Regards,
Alexander
2010/2/26 <dot...@li...>
Send Dotnetrdf-develop mailing list submissions to
dot...@li...
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/dotnetrdf-develop
or, via email, send a message with subject or body 'help' to
dot...@li...
You can reach the person managing the list at
dot...@li...
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Dotnetrdf-develop digest..."
Today's Topics:
1. SPARQL escaping helper class (Alexander Sidorov)
2. Re: SPARQL escaping helper class (Rob Vesse)
----------------------------------------------------------------------
Message: 1
Date: Fri, 26 Feb 2010 10:00:11 +0100
From: Alexander Sidorov <ale...@gm...>
Subject: [dotNetRDF-develop] SPARQL escaping helper class
To: dot...@li...
Message-ID:
<828...@ma...>
Content-Type: text/plain; charset="iso-8859-1"
Hello!
I think it would be useful to have a helper class for escaping SPARQL
queries (look this:
http://www.slideshare.net/Morelab/sparqlrdqlsparul-injection).
Regards,
Alexander
-------------- next part --------------
An HTML attachment was scrubbed...
------------------------------
Message: 2
Date: Fri, 26 Feb 2010 12:00:42 -0000
From: "Rob Vesse" <ra...@ec...>
Subject: Re: [dotNetRDF-develop] SPARQL escaping helper class
To: "'dotNetRDF Developer Discussion and Feature Request'"
<dot...@li...>
Cc: ale...@gm...
Message-ID:
<EMEW3|6a27e0494e3d986b456109309e7d7fffm1PC0p06rav08r|ecs.soton.ac.uk|004a01
cab6db$522b4160$f681c420$@soton.ac.uk>
Content-Type: text/plain; charset="us-ascii"
Hi Alexander
That is an excellent suggestion, I have added a SparqlParameterizedString
class as of revision 631. It takes a base query string with parameters in
the ADO.Net style like so:
SparqlParameterizedString queryString = new
SparqlParameterizedString("SELECT * WHERE {?s a @type}");
Or you can initialise an empty string and then use the QueryText property to
get/set/append to the raw query text
Then there's a variety of methods for setting the parameters (SetLiteral,
SetUri and SetBlankNode) which insert values for the parameters e.g.
queryString.SetUri("type", new Uri("http://example.org/myType"));
The actual value of the query string is returned by the ToString() method,
so for the above example ToString() returns the following:
SELECT * WHERE {?s a <http://example.org/myType>}
If the user was to instead try to inject something by setting a string like
so this wouldn't work, they'd simply get back the entire thing enclosed in
the literal so they can't change the value of the original query.
queryString.SetLiteral("type", "<http://example.org/myType> ; ?prop
?value");
Results in:
SELECT * WHERE {?s a "<http://example.org/myType> ; ?prop ?value"}
Take a look and let me know what you think of it - does it do everything you
need/want it to?
The class is also reusable in that if you set a parameter that has already
been set it just changes the value for that parameter so that next time you
call ToString() you get the query with the new parameter values inserted
i.e. you don't have to instantiate a new instance of the class if you want
to make a query multiple times and substitute in different values each time.
Thanks,
Rob
From: Alexander Sidorov [mailto:ale...@gm...]
Sent: 26 February 2010 09:00
To: dot...@li...
Subject: [dotNetRDF-develop] SPARQL escaping helper class
Hello!
I think it would be useful to have a helper class for escaping SPARQL
queries (look this:
http://www.slideshare.net/Morelab/sparqlrdqlsparul-injection).
Regards,
Alexander
-------------- next part --------------
An HTML attachment was scrubbed...
------------------------------
----------------------------------------------------------------------------
--
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
------------------------------
_______________________________________________
Dotnetrdf-develop mailing list
Dot...@li...
https://lists.sourceforge.net/lists/listinfo/dotnetrdf-develop
End of Dotnetrdf-develop Digest, Vol 3, Issue 3
***********************************************
-------------- next part --------------
An HTML attachment was scrubbed...
------------------------------
----------------------------------------------------------------------------
--
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
------------------------------
_______________________________________________
Dotnetrdf-develop mailing list
Dot...@li...
https://lists.sourceforge.net/lists/listinfo/dotnetrdf-develop
End of Dotnetrdf-develop Digest, Vol 3, Issue 4
***********************************************
|
