Github user GregAlbiston commented on the issue: https://github.com/apache/jena/pull/449 I've made updates to try and address the comments made so far. - Now using _FmtUtils.stringForNode_ for conversion of RDFNode to replacement string. - Local method _validateParameterValue_ now used as values are being set to prevent injection attack. - Local method _validateSafeToInject_ now used when the query is being parsed to prevent injection attack. This is called each of the target variables for each relevant item. i.e. Not the varName supplied for the substitution but the variable in the VALUES clause of the query that will be evaluated. - The need for parenthesis is now determined when the query is being parsed based on number of target variables in the VALUES clause and then, for a single target variable, the presence of parenthesis in the query. - Updated tests, removed methods no longer required and added additional JavaDoc comments. Thanks, Greg
---