Re: Fwd: Preventing SPARQL injection
Davide Palmisano schrieb: > I'm not sure I well understood your problem. Anyway may be worth give > a look to this: http://clarkparsia.com/weblog/2010/02/03/empire-0-6/ QuerySolutionMap was exactly what I need at the moment, but Empire seems to be very interesting beyond that. I will take a look at it some time. Thanks & kind regards, Angelo
Re: Preventing SPARQL injection
Damian Steer schrieb:
> Use the QueryExecutionFactory methods that accept an initial binding: [1]
>
> Query q = QueryFactory.create("select * { ?s ?p ?o }");
>
> QuerySolutionMap qs = new QuerySolutionMap();
> qs.add("s", resource); // bind resource to s
>
> QueryExecution qe = QueryExecutionFactory.create(q, dataset, qs);
>
> That's much safer and easier than messing with query strings.
Thank you very much! This was exactly what I was looking for. Didn't
find anything about it in the jena docs, but works fine now.
Kind regards,
Angelo
Re: Preventing SPARQL injection
Angelo Veltens wrote: Hi all, my name is Angelo Veltens, i'm studying computer science in germany. I am using the jena framework with sdb for a student research project. I'm just wondering how to prevent sparql injections. It seems to me, that i have to build my queries from plain strings and do the sanitizing on my own. Isn't there something like prepared statements as in SQL/JDBC? This would be less risky. Kind regards, Angelo Veltens The server should have the ability to control who can do what with SPARQL. If you put SPARQL endpoints behind FOAF+SSL (for instance) and also use ACLs at the Graph IRI level, the vulnerability is blocked (bar stealing your machine and getting locating your private key). -- Regards, Kingsley Idehen President & CEO OpenLink Software Web: http://www.openlinksw.com Weblog: http://www.openlinksw.com/blog/~kidehen Twitter/Identi.ca: kidehen
Re: Preventing SPARQL injection
On 29/03/10 15:53, Rob Vesse wrote:
Forgot to cc to list and to jena-dev
Missed the original post completely. Thanks for ccing to jena-dev.
Hi all,
my name is Angelo Veltens, i'm studying computer science in germany. I
am using the jena framework with sdb for a student research project.
I'm just wondering how to prevent sparql injections. It seems to me,
that i have to build my queries from plain strings and do the sanitizing
on my own. Isn't there something like prepared statements as in
SQL/JDBC? This would be less risky.
Kind regards,
Angelo Veltens
Use the QueryExecutionFactory methods that accept an initial binding: [1]
Query q = QueryFactory.create("select * { ?s ?p ?o }");
QuerySolutionMap qs = new QuerySolutionMap();
qs.add("s", resource); // bind resource to s
QueryExecution qe = QueryExecutionFactory.create(q, dataset, qs);
That's much safer and easier than messing with query strings.
(Unfortunately it doesn't work for remote queries via queryService)
Damian
[1]
Fwd: Preventing SPARQL injection
apologize, forgot to cc public-lod -- Forwarded message -- From: Davide Palmisano Date: Mon, Mar 29, 2010 at 4:51 PM Subject: Re: Preventing SPARQL injection To: Angelo Veltens Hi Angelo, I'm not sure I well understood your problem. Anyway may be worth give a look to this: http://clarkparsia.com/weblog/2010/02/03/empire-0-6/ cheers, Davide On Sat, Mar 27, 2010 at 1:10 PM, Angelo Veltens wrote: > Hi all, > > my name is Angelo Veltens, i'm studying computer science in germany. I > am using the jena framework with sdb for a student research project. > > I'm just wondering how to prevent sparql injections. It seems to me, > that i have to build my queries from plain strings and do the sanitizing > on my own. Isn't there something like prepared statements as in > SQL/JDBC? This would be less risky. > > Kind regards, > Angelo Veltens > > > -- Davide Palmisano Technologist at Fondazione Bruno Kessler http://davidepalmisano.wordpress.com http://twitter.com/dpalmisano -- Davide Palmisano http://davidepalmisano.wordpress.com http://twitter.com/dpalmisano
Re: Preventing SPARQL injection
Forgot to cc to list and to jena-dev -Original Message- From: Rob Vesse [mailto:rav...@ecs.soton.ac.uk] Sent: 29 March 2010 15:53 To: 'Angelo Veltens' Subject: RE: Preventing SPARQL injection The following may be of interest to you: http://www.slideshare.net/Morelab/sparqlrdqlsparul-injection They proposed a patch to Jena but I don't know whether it ever got incorporated into the codebase. Rob -Original Message- From: public-lod-requ...@w3.org [mailto:public-lod-requ...@w3.org] On Behalf Of Angelo Veltens Sent: 27 March 2010 12:11 To: public-lod@w3.org Subject: Preventing SPARQL injection Hi all, my name is Angelo Veltens, i'm studying computer science in germany. I am using the jena framework with sdb for a student research project. I'm just wondering how to prevent sparql injections. It seems to me, that i have to build my queries from plain strings and do the sanitizing on my own. Isn't there something like prepared statements as in SQL/JDBC? This would be less risky. Kind regards, Angelo Veltens
Preventing SPARQL injection
Hi all, my name is Angelo Veltens, i'm studying computer science in germany. I am using the jena framework with sdb for a student research project. I'm just wondering how to prevent sparql injections. It seems to me, that i have to build my queries from plain strings and do the sanitizing on my own. Isn't there something like prepared statements as in SQL/JDBC? This would be less risky. Kind regards, Angelo Veltens
