With the REST API, you'll be fine. The passed on value will be bound as
string, and the original query won't be modified.
trichel <tric...@protonmail.com> schrieb am So., 26. Juni 2022, 19:15:
> Hi Christian,
>
> I'm using the GET method from the Basex Rest API. Up until now I simply
> removed ampersands from a query, just to be safe.
>
> Laurent
>
>
> ------- Original Message -------
> On Sunday, June 26th, 2022 at 7:02 PM, Christian Grün <
> christian.gr...@gmail.com> wrote:
>
>
> > Hi trichel,
> > Which API are you using to bind the external variables to your query
> before evaluating it?
> >
> > Best,
> > Christian
> >
> >
> >
> > trichel <tric...@protonmail.com> schrieb am So., 26. Juni 2022, 18:58:
> >
> > > Hello,
> > >
> > > How to write secure queries when the queried text nodes contain
> ampersands? For instance:
> > >
> > >
> > > declare variable $publisher external; (: $pub == 'Faber & Faber' :)
> > > declare variable $db := db:open('db');
> > >
> > > let $records := $db/record/publisher[. = $publisher] (: publisher ==
> 'Faber & Faber' :)
> > >
> > >
> > > The external variable is unsafe input, escaped by the sending
> application.
> > > Escaping the ampersand in the external variable with & (& a m p ;)
> doesn't work, Basex stops finding hits. Just letting the ampersand pass
> might expose the code to injection attacks? I could switch to a full-text
> query and remove the ampersand from the external variable, but that's a bit
> hackish. The expression is exact.
> > >
> > > How to proceed in a secure way?
>
