With the REST API, you'll be fine. The passed on value will be bound as string, and the original query won't be modified.
trichel <tric...@protonmail.com> schrieb am So., 26. Juni 2022, 19:15: > Hi Christian, > > I'm using the GET method from the Basex Rest API. Up until now I simply > removed ampersands from a query, just to be safe. > > Laurent > > > ------- Original Message ------- > On Sunday, June 26th, 2022 at 7:02 PM, Christian Grün < > christian.gr...@gmail.com> wrote: > > > > Hi trichel, > > Which API are you using to bind the external variables to your query > before evaluating it? > > > > Best, > > Christian > > > > > > > > trichel <tric...@protonmail.com> schrieb am So., 26. Juni 2022, 18:58: > > > > > Hello, > > > > > > How to write secure queries when the queried text nodes contain > ampersands? For instance: > > > > > > > > > declare variable $publisher external; (: $pub == 'Faber & Faber' :) > > > declare variable $db := db:open('db'); > > > > > > let $records := $db/record/publisher[. = $publisher] (: publisher == > 'Faber & Faber' :) > > > > > > > > > The external variable is unsafe input, escaped by the sending > application. > > > Escaping the ampersand in the external variable with & (& a m p ;) > doesn't work, Basex stops finding hits. Just letting the ampersand pass > might expose the code to injection attacks? I could switch to a full-text > query and remove the ampersand from the external variable, but that's a bit > hackish. The expression is exact. > > > > > > How to proceed in a secure way? >