BaseX just always surprises in a positive way. I've been worrying all this time about injection attacks, which I will continue to do, but now in a different way ...
Thanks Christian Sent with Proton Mail secure email. ------- Original Message ------- On Sunday, June 26th, 2022 at 7:21 PM, Christian Grün <christian.gr...@gmail.com> wrote: > With the REST API, you'll be fine. The passed on value will be bound as > string, and the original query won't be modified. > > > > trichel <tric...@protonmail.com> schrieb am So., 26. Juni 2022, 19:15: > > > Hi Christian, > > > > I'm using the GET method from the Basex Rest API. Up until now I simply > > removed ampersands from a query, just to be safe. > > > > Laurent > > > > > > ------- Original Message ------- > > On Sunday, June 26th, 2022 at 7:02 PM, Christian Grün > > <christian.gr...@gmail.com> wrote: > > > > > > > Hi trichel, > > > Which API are you using to bind the external variables to your query > > > before evaluating it? > > > > > > Best, > > > Christian > > > > > > > > > > > > trichel <tric...@protonmail.com> schrieb am So., 26. Juni 2022, 18:58: > > > > > > > Hello, > > > > > > > > How to write secure queries when the queried text nodes contain > > > > ampersands? For instance: > > > > > > > > > > > > declare variable $publisher external; (: $pub == 'Faber & Faber' :) > > > > declare variable $db := db:open('db'); > > > > > > > > let $records := $db/record/publisher[. = $publisher] (: publisher == > > > > 'Faber & Faber' :) > > > > > > > > > > > > The external variable is unsafe input, escaped by the sending > > > > application. > > > > Escaping the ampersand in the external variable with & (& a m p ;) > > > > doesn't work, Basex stops finding hits. Just letting the ampersand pass > > > > might expose the code to injection attacks? I could switch to a > > > > full-text query and remove the ampersand from the external variable, > > > > but that's a bit hackish. The expression is exact. > > > > > > > > How to proceed in a secure way?