BaseX just always surprises in a positive way. I've been worrying all this time
about injection attacks, which I will continue to do, but now in a different
way ...
Thanks Christian
Sent with Proton Mail secure email.
------- Original Message -------
On Sunday, June 26th, 2022 at 7:21 PM, Christian Grün
<christian.gr...@gmail.com> wrote:
> With the REST API, you'll be fine. The passed on value will be bound as
> string, and the original query won't be modified.
>
>
>
> trichel <tric...@protonmail.com> schrieb am So., 26. Juni 2022, 19:15:
>
> > Hi Christian,
> >
> > I'm using the GET method from the Basex Rest API. Up until now I simply
> > removed ampersands from a query, just to be safe.
> >
> > Laurent
> >
> >
> > ------- Original Message -------
> > On Sunday, June 26th, 2022 at 7:02 PM, Christian Grün
> > <christian.gr...@gmail.com> wrote:
> >
> >
> > > Hi trichel,
> > > Which API are you using to bind the external variables to your query
> > > before evaluating it?
> > >
> > > Best,
> > > Christian
> > >
> > >
> > >
> > > trichel <tric...@protonmail.com> schrieb am So., 26. Juni 2022, 18:58:
> > >
> > > > Hello,
> > > >
> > > > How to write secure queries when the queried text nodes contain
> > > > ampersands? For instance:
> > > >
> > > >
> > > > declare variable $publisher external; (: $pub == 'Faber & Faber' :)
> > > > declare variable $db := db:open('db');
> > > >
> > > > let $records := $db/record/publisher[. = $publisher] (: publisher ==
> > > > 'Faber & Faber' :)
> > > >
> > > >
> > > > The external variable is unsafe input, escaped by the sending
> > > > application.
> > > > Escaping the ampersand in the external variable with & (& a m p ;)
> > > > doesn't work, Basex stops finding hits. Just letting the ampersand pass
> > > > might expose the code to injection attacks? I could switch to a
> > > > full-text query and remove the ampersand from the external variable,
> > > > but that's a bit hackish. The expression is exact.
> > > >
> > > > How to proceed in a secure way?
