Re: [Virtuoso-users] Using PREFIX in a prepared Statement

[Kingsley Idehen]

On 10/24/16 12:00 PM, Davis, Daniel (NIH/NLM) [C] wrote:
>
> Kingsley,
>
>  
>
> I’m not sure exactly how this helps me.   Let me be clearer on the
> problem.   Because this application runs within a federal government
> site, I’m required to submit my source code to static analysis.  
> Although the data is read-only, and the database user has only
> read-only access, there are still general guidelines.
>
> I’m inquiring in the sense therefore that I want to figure out the
> boundaries of how Virtuoso JDBC can enable me to pass these
> guidelines, even though I think I can get an exemption by labeling the
> SQL injection complaint a false positive.
>
>  
>
> What I’m talking about is doing this through a JDBC interface, and
> rather than using a query of the form:
>
>  
>
> String queryFormat= "SPARQL"
>
> + " define input:inference
> \"http://id.nlm.nih.gov/mesh/vocab\";
>
> + " PREFIX rdf: "
>
> + " PREFIX rdfs: "
>
> + " PREFIX xsd: "
>
> + " PREFIX owl: "
>
> + " PREFIX meshv: "
>
> + " PREFIX mesh: "
>
> + " SELECT ?l"
>
> + " FROM "
>
> + " WHERE { mesh:%s %s ?l }";
>
> String query= String./format/(queryFormat, id, prop);
>
> log.info(query);
>
> Statement stmt= connection.createStatement();
>
> ResultSet rset= stmt.executeQuery(query);
>
>  
>
> I would rather do this using a prepared statement, maybe still
> formatting in the property so that the query plan can benefit from the
> predicate index:
>
>  
>
> String queryFormat= "SPARQL"
>
> + " define input:inference
> \"http://id.nlm.nih.gov/mesh/vocab\";
>
> + " PREFIX rdf: "
>
> + " PREFIX rdfs: "
>
> + " PREFIX xsd: "
>
> + " PREFIX owl: "
>
> + " PREFIX meshv: "
>
> + " PREFIX mesh: "
>
> + " SELECT ?l"
>
> + " FROM "
>
> + " WHERE { ?? %s ?l }";
>
> String query= String./format/(queryFormat, prop);
>
> log.info(query);
>
> PreparedStatement stmt= connection.prepareStatement(query);
>
> stmt.setString(1, "http://id.nlm.nih.gov/mesh/"+id);
>
>
>
> So far, this general approach of using a prepared statement is not
> working for me.   I may struggle through it, but is there anyway for
> me to preserve the convenience of prefixes:
>
>  
>
> … WHERE { mesh:?? %s ?l };
>
>  
>
> And then later bind the query argument?
>

Understood. Problem is that we need to publish more examples re., use of
SPARQL via ODBC and JDBC connections.

To our issue:

It will be something like:

 String queryFormat = "SPARQL"
 + " define input:inference \"http://id.nlm.nih.gov/mesh/vocab\";
 + " PREFIX rdf: "
 + " PREFIX rdfs: "
 + " PREFIX xsd: "
 + " PREFIX owl: "
 + " PREFIX meshv: "
 + " PREFIX mesh: "
 + " SELECT ?l"
 + " FROM "
 + " *WHERE { `iri(??)` `iri(??)` ?l }*";

// String query = String.format(queryFormat, id, prop);
// log.info(query);

 PreparedStatement ps = connection.prepareStatement(query);
 ps.setString(1, "http://id.nlm.nih.gov/mesh/"+id);
 ps.setString(2, prop);
 ResultSet rset = ps.executeQuery();

Note: You have to quote URIs without < >
Example:
   String prop = "http://testhost.org/myprop;;

We'll get some docs out too, as I stated earlier.

-- 
Regards,

Kingsley Idehen   
Founder & CEO 
OpenLink Software   (Home Page: http://www.openlinksw.com)

Weblogs (Blogs):
Legacy Blog: http://www.openlinksw.com/blog/~kidehen/
Blogspot Blog: http://kidehen.blogspot.com
Medium Blog: https://medium.com/@kidehen

Profile Pages:
Pinterest: https://www.pinterest.com/kidehen/
Quora: https://www.quora.com/profile/Kingsley-Uyi-Idehen
Twitter: https://twitter.com/kidehen
Google+: https://plus.google.com/+KingsleyIdehen/about
LinkedIn: http://www.linkedin.com/in/kidehen

Web Identities (WebID):
Personal: http://kingsley.idehen.net/dataspace/person/kidehen#this
: 
http://id.myopenlink.net/DAV/home/KingsleyUyiIdehen/Public/kingsley.ttl#this



smime.p7s
Description: S/MIME Cryptographic Signature

Re: [Virtuoso-users] Using PREFIX in a prepared Statement

[Davis, Daniel (NIH/NLM) [C]]

Kingsley,

I'm not sure exactly how this helps me.   Let me be clearer on the problem.   
Because this application runs within a federal government site, I'm required to 
submit my source code to static analysis.   Although the data is read-only, and 
the database user has only read-only access, there are still general guidelines.
I'm inquiring in the sense therefore that I want to figure out the boundaries 
of how Virtuoso JDBC can enable me to pass these guidelines, even though I 
think I can get an exemption by labeling the SQL injection complaint a false 
positive.

What I'm talking about is doing this through a JDBC interface, and rather than 
using a query of the form:

String queryFormat = "SPARQL"
+ " define input:inference \"http://id.nlm.nih.gov/mesh/vocab\";
+ " PREFIX rdf: "
+ " PREFIX rdfs: "
+ " PREFIX xsd: "
+ " PREFIX owl: "
+ " PREFIX meshv: "
+ " PREFIX mesh: "
+ " SELECT ?l"
+ " FROM "
+ " WHERE { mesh:%s %s ?l }";
String query = String.format(queryFormat, id, prop);
log.info(query);
Statement stmt = connection.createStatement();
ResultSet rset = stmt.executeQuery(query);

I would rather do this using a prepared statement, maybe still formatting in 
the property so that the query plan can benefit from the predicate index:

String queryFormat = "SPARQL"
+ " define input:inference \"http://id.nlm.nih.gov/mesh/vocab\";
+ " PREFIX rdf: "
+ " PREFIX rdfs: "
+ " PREFIX xsd: "
+ " PREFIX owl: "
+ " PREFIX meshv: "
+ " PREFIX mesh: "
+ " SELECT ?l"
+ " FROM "
+ " WHERE { ?? %s ?l }";
String query = String.format(queryFormat, prop);
log.info(query);
PreparedStatement stmt = connection.prepareStatement(query);
stmt.setString(1, "http://id.nlm.nih.gov/mesh/"+id);

So far, this general approach of using a prepared statement is not working for 
me.   I may struggle through it, but is there anyway for me to preserve the 
convenience of prefixes:

... WHERE { mesh:?? %s ?l };

And then later bind the query argument?

From: Kingsley Idehen [mailto:kide...@openlinksw.com]
Sent: Friday, October 21, 2016 6:36 PM
To: virtuoso-users@lists.sourceforge.net
Subject: Re: [Virtuoso-users] Using PREFIX in a prepared Statement

On 10/21/16 5:36 PM, Davis, Daniel (NIH/NLM) [C] wrote:
So, I must run my application through a source code scanner, and it is 
reasonably complaining that I am using String.format() and 
stmt.executeQuery(query) with the Virtuoso JDBC connection.

Yet, this is SPARQL.   I see some discussion of prepared statements on this 
list in the past.   What I want to know is:

*What is the best way to get this to work at all?

*Is there any way I can bind a parameter whose value includes a PREFIX 
in the query?Something like stmt.setString(1, "mesh:D20189");

Dan Davis, Systems/Applications Architect (Contractor),
Office of Computer and Communications Systems,
National Library of Medicine, NIH



I assume your query is of the form:

SPARQL

{SPARQL-Query}



OR

SELECT {SELECT-LIST}

FROM {SPARQL {SPARQL-QUERY} } AS {SQL Tabular Relation ALIAS} .



[1] http://bit.ly/sparql-as-sql-tabular-relation -- SPARQL Query as SQL Tabular 
Relation (note: user "vdb" for user and pwd) in FROM CLAUSE

[2] http://bit.ly/sparql-as-sql-tabular-relation2 -- SPARQL Query as SQL 
Tabular Relation

--

Regards,



Kingsley Idehen

Founder & CEO

OpenLink Software   (Home Page: http://www.openlinksw.com)



Weblogs (Blogs):

Legacy Blog: http://www.openlinksw.com/blog/~kidehen/

Blogspot Blog: http://kidehen.blogspot.com

Medium Blog: https://medium.com/@kidehen



Profile Pages:

Pinterest: https://www.pinterest.com/kidehen/

Quora: https://www.quora.com/profile/Kingsley-Uyi-Idehen

Twitter: https://twitter.com/kidehen

Google+: https://plus.google.com/+KingsleyIdehen/about

LinkedIn: http://www.linkedin.com/in/kidehen



Web Identities (WebID):

Personal: http://kingsley.idehen.net/dataspace/person/kidehen#this

: 
http://id.myopenlink.net/DAV/home/KingsleyUyiIdehen/Public/kingsley.ttl#this


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! 

Re: [Virtuoso-users] [UTF-8 Encoding] Problems with utf-8 encoding while doing full text search in sparql query

[Hugh Williams]

Hi Taemo,

Does this error occur when the query is run against the /sparql endpoint 
directly ?

Note also the following documentation on wide char support in the Free-Text 
index when handling accented characters:


http://docs.openlinksw.com/virtuoso/virtuosotipsandtrickscontrolunicode3/

Note of if this will help with you oriental char sets though, but you can try 
setting the:

[I18N]
XAnyNormalization=3

in the INI file as it is not set current and thus defaulting to 0 …

Best Regards
Hugh Williams
Professional Services
OpenLink Software, Inc.  //  http://www.openlinksw.com/
Weblog   -- http://www.openlinksw.com/blogs/
LinkedIn -- http://www.linkedin.com/company/openlink-software/
Twitter  -- http://twitter.com/OpenLink
Google+  -- http://plus.google.com/100570109519069333827/
Facebook -- http://www.facebook.com/OpenLinkSoftware
Universal Data Access, Integration, and Management Technology Providers

> On 24 Oct 2016, at 07:41, 손태모  wrote:
> 
> Dear all , 
> I just made a sparql query which functions like text search, 
> the query i made is shown bellow , 
> ===
> PREFIX rdf: 
> PREFIX rdfs: 
> PREFIX bif:  
> SELECT ?s ?p ?o ?label 
> WHERE {?s ?p ?o . ?s rdf:type 
>  . ?o 
> bif:contains '"박근혜"' . ?s rdfs:label ?label .} 
> ORDER BY ?s 
> LIMIT 5 
> OFFSET 0
> 
> 
> but when i tried to run this query utilizing virt-jena java programming ,  i 
> got this kind of error message from virtuoso server opensource edition . 
> 
> org.apache.jena.shared.JenaException: Can not create 
> ResultSet.:virtuoso.jdbc4.VirtuosoException: XM028: Free-text expression, 
> line 1: phrase consists of noise words exclusively
> in the following expression:
> [ __enc "UTF-8" ] "???"
> at 
> virtuoso.jena.driver.VirtuosoQueryExecution.execSelect(VirtuosoQueryExecution.java:103)
> at 
> kr.or.knps.lod.app.access.dao.VirtuosoDAO.textSearch(VirtuosoDAO.java:197)
> at 
> kr.or.knps.lod.app.access.service.virtuoso.VirtuosoService.textSearch(VirtuosoService.java:63)
> at 
> kr.or.knps.lod.app.controller.DataController.doTextSearch(DataController.java:601)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at 
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at 
> org.springframework.web.bind.annotation.support.HandlerMethodInvoker.invokeHandlerMethod(HandlerMethodInvoker.java:176)
> at 
> org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter.invokeHandlerMethod(AnnotationMethodHandlerAdapter.java:426)
> at 
> org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter.handle(AnnotationMethodHandlerAdapter.java:414)
> at 
> org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:790)
> at 
> org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:719)
> at 
> org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:644)
> at 
> org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:560)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:650)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
> at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
> at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
> at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
> at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
> at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
> at 
> egovframework.rte.ptl.mvc.filter.HTMLTagFilter.doFilter(HTMLTagFilter.java:52)
> at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
> at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
> at 
> org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88)
> at 
> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
> at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
> at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
> at 
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:218)
> at 
> 

[Virtuoso-users] [UTF-8 Encoding] Problems with utf-8 encoding while doing full text search in sparql query

[손태모]

Dear all ,

I just made a sparql query which functions like text search,

the query i made is shown bellow ,

===

PREFIX rdf: 
PREFIX rdfs: 
PREFIX bif: 
SELECT ?s ?p ?o ?label
WHERE {?s ?p ?o . ?s rdf:type 
 . 
?o bif:contains '"*박근혜*"' . ?s rdfs:label ?label .}

ORDER BY ?s
LIMIT 5
OFFSET 0


but when i tried to run this query utilizing virt-jena java programming 
,  i got this kind of error message from virtuoso server opensource 
edition .



org.apache.jena.shared.JenaException: Can not create 
ResultSet.:virtuoso.jdbc4.VirtuosoException: XM028: Free-text 
expression, line 1: phrase consists of noise words exclusively

in the following expression:
[ __enc "UTF-8" ] "???"
at 
virtuoso.jena.driver.VirtuosoQueryExecution.execSelect(VirtuosoQueryExecution.java:103)
at 
kr.or.knps.lod.app.access.dao.VirtuosoDAO.textSearch(VirtuosoDAO.java:197)
at 
kr.or.knps.lod.app.access.service.virtuoso.VirtuosoService.textSearch(VirtuosoService.java:63)
at 
kr.or.knps.lod.app.controller.DataController.doTextSearch(DataController.java:601)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

at java.lang.reflect.Method.invoke(Method.java:498)
at 
org.springframework.web.bind.annotation.support.HandlerMethodInvoker.invokeHandlerMethod(HandlerMethodInvoker.java:176)
at 
org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter.invokeHandlerMethod(AnnotationMethodHandlerAdapter.java:426)
at 
org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter.handle(AnnotationMethodHandlerAdapter.java:414)
at 
org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:790)
at 
org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:719)
at 
org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:644)
at 
org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:560)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:650)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at 
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at 
egovframework.rte.ptl.mvc.filter.HTMLTagFilter.doFilter(HTMLTagFilter.java:52)
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at 
org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88)
at 
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at 
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:218)
at 
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at 
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)
at 
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
at 
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at 
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956)
at 
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at 
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:442)
at 
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1083)
at 
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:640)
at 
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at 
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)

at java.lang.Thread.run(Thread.java:745)


I