See also: IRC log
<juansequeda> trying to call in
<juansequeda> it says that the passcode is not valid
<juansequeda> anybody else having this problem?
<Ashok> scribenick: whalb
<Ashok> scribe: Wolfgang
<Ashok> Admin PROPOSAL: Accept the minutes of last meeting, see http://www.w3.org/2010/08/10-rdb2rdf-minutes.html
no objections heard
minutes from 10 August accepted
ashok: cygri not present, suggest to look at last e-mail and discuss it
<Ashok> http://lists.w3.org/Archives/Public/public-rdb2rdf-wg/2010Aug/0004.html
ashok: went up to section 3 last
time
... richard suggests to support URI templates
souri: similar to revelyx
presentation
... in uri template document there is an example
<Souri> <URITemplate id="employee" value="http://example.com/emp/{empno}" />
<ericP> http://example.com/emp/{empno}" />
souri: emp is a variable
... empno value could be a column name
... almost like happening on the client side
... agree with proposition, but not a standard yet - going to
become a standard
... it is not core to proposal
ashok: agrees
<cygri> hi Ashok, Souri and all... just quickly calling in to send regrets, flight was delayed and i'm still at the airport with nowhere to take the call... sorry!
juansequeda: there should be a standrd way of generating URIs
souri: uri template is a good way
to do this
... uri template is an option, should keep it seperate from
SELECT statement
... there are more pressing issues in the core itself
... we need to resolve the more complex problems before, like
transaction tables
ericP: scenario is a short-hand
way to express simple things
... if somebody does a query and asks for something like...
<ericP> http://www4.wiwiss.fu-berlin.de/bizer/bsbm/v01/instances/dataFromVendor23/Offer18
ericP: this mapping can be reserved
<ericP> http://www4.wiwiss.fu-berlin.de/bizer/bsbm/v01/instances/dataFromVendor /foo/bar /Offer18
ericP: if expressivity was like above example it would need more to reserve it
<ericP> http://www4.wiwiss.fu-berlin.de/bizer/bsbm/v01/instances/dataFromVendor Bob /Offer18
<Souri> my note on this was: A somewhat unrelated aspect would be to consider automatic derivation of inverse expression (if any) since now we need to parse the URI template anyway.
juansequeda: you cannot expect
that parsing the uri gives the semantics, is a security
risk
... thats not the way it should be
ericp: we are not hiding primary
key values
... you can include any attribute you like
juansequeda: potential sql injection like problem - comments from oracle?
juansequeda: could lead to an exploit
souri: as long as we use bind variables, defined variables it will not be part of sql treatment
juansequeda: if someone sends an uri and it is deferenced into the sql it might be a potential hack
souri: we are not having this problem today
juansequeda: there is a standard
- life science ids - ...
... they were invented in anticipation of rdb2rdf and very
likely...
<Souri> I wanted to ask whether we are introducing a new security problem?
juansequeda: address the problem
ericp: we cannot give up uri from sql
juansequeda: if somebody does not want to use URIs in sql?
<juansequeda> whalb, I meant if I don't want to put primary key values in the URI
ericp: soem companies might not use the standard because it violates principles
ashok: thats not going to
happen
... the question is if this is the only way of creating a
uri
<hhalpin> +1 Ashok
ashok: there are also other
ways
... you could create a function
... the template is useful but it should not be the only
technique
souri: it is not the only
technique, but an option
... you can have an expression in the query itself
... if we have a template there are some positions that are
variables
... should come out from the view / sql definition
... primary key column could be anything like that
... we can use it in uri template
<ericP> it could also be pk+1000 or concat(foo.fn, ",", foo.ln)
ashok: lets go on to 3.2
<ericP> all of these offer identical opportunities for injection attacks
<MacTed> it's important to state that this "option" is NOT best practice
<MacTed> even if available
hhalpin ?
souri: do not agree with that comment
<hhalpin> Just also pointing out templates is not the only option, but would be surprised if we did not allow some arbitrary function could generate URIs given a string identifer.
souri: you could create a superclass c
<juansequeda> +1 to hhalpin
souri: if i want to go to the
posting it has some implications
... if i want to go to c1 i might have to do more work to find
the ones that are c1s only
ashok: any comments?
... souri wants only one class mapped, richard suggests
more
souri: rdf level granularity we should allow the same level
ashoK. dont see any disagreement here
<ericP> i think the same issue arises when you have more than one attribute mapped to the same RDF predicate
ashok: when you do a property map
you allow the name from the view
... problem is you have to specify a view, you cannot put the
sql here
<ericP> doctor.name => foaf:name patient.name => foaf:name
<ericP> SELECT ?doc { ?doc foaf:name "Bob" }
souri: it is a simple way of
specifying
... when you are doing select * which one is the uri
... typically you get out values, not uris
... it is very likely that you need to modify the select *
result to show uri
... you might need a specific uri template
ashok: 3.4 column names
... richard wants to allow a literal rather than column
names
... seems ok to me
souri: agree basically to that
one too
... just a note: how do you show that fact that a particular
property has a constant value?
ashok: end of richard's comments - we can talk about that when richard is here next week
<Ashok> Revised SQL-based proposal from Souri http://www.w3.org/2001/sw/rdb2rdf/wiki/An_XML_Schema_for_SQL-based_RDB2RDF_Mapping_%28Revision_1%29 http://www.w3.org/2001/sw/rdb2rdf/wiki/Example_of_SQL-based_RDB2RDF_Mapping:_Revision_1
souri: the translation tables -
how can we handle large tables in sql directly
... send e-mail with richard
<ericP> ironic, given that's exactly what we expect SQL to do for us
souri: main modifactions in
current version
... the sql schema
... second block rdf subject added
... there is block called InstanceIdMap
... in GraphURIPropertyMap...
... now the property themselves point back
... extended the propertymap element by adding graphuri
... also added datatype - you can specify that a constant data
type applying to each from database
... also added language
... more additions have to do with ComputedPropertyMap
... regarding ricahrd comment 2.4
... the computed property name is coming from a db column
name
... the first name says whether it is computed or not
... the column will be the attribute - thats how the computed
property name is defined
... we have to take sql injection into account
... in keymap definitions we need foreign key property
... if we do a join what is the join condition
... ForeignKeyPropertyMap has a ForeignKeyPropertyName which
has a ParentClassName
... the JoinCondition is a string where sql injection comes
into account
... looking at example from
http://www.w3.org/2001/sw/rdb2rdf/wiki/Example_of_SQL-based_RDB2RDF_Mapping:_Revision_1
... in example there is ForeignKeyPropertyMap info
... the join condition we need to use in the translation from
sparql to sql
... the child and parent will be replaced with the ref
... re. sql injection we take a string here and putting it
directly in the sql
... we need to check here to be sure we can use it without sql
injection probs
ericp: example looking for
employee named bob
... anything we carry through, regardless if its identifier we
offer the opportunity of injection
... industry standard like in php do checking of potential sql
injection
souri: here we use
expression
... if we use bind variable it cannot cause sql injection
... had idea that join condition includes equals
... join condition defined as pairs
ericp: protecting yourself from people with write access
souri: yes but if you have access
to table t1 you should not be able to access table t2
... it is important but my idea might be a solution for the
prob
... we can individually check each part of the pair
ericp: the person who has write
privileges in the config file should someone you trust to a
certain level
... we are not protecting use from people who configure the db
and not from users
souri: thats the point - not
everybody can write the specs
... it is better not to even trust the guy who is writing the
config
ericp: can we protect ourselves from that person anyway?
souri: yes, at oracle there are
many security checks performed
... joincond could be unlimited number of pairs
... from that pov we are not losing anything
... example does not show everything, have to extend that
example
ashok: will be out next week,
michael will be back
... we should carry on here and then write it down formally
<hhalpin> +1 writing it up asap
ericp: have started document draft, can continue on it
<hhalpin> we can change telecon times.
This is scribe.perl Revision: 1.135 of Date: 2009/03/02 03:52:20 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: RRSAgent_Text_Format (score 1.00) Succeeded: s/Ashok\/Ashok/ Succeeded: s/heared/heard/ Found ScribeNick: whalb Found Scribe: Wolfgang Present: Ashok EricP HarryHalpin Ivan Juan LeeF Ted Souri Wolfgang Regrets: Boris Marcelo AlexDeLeon Richard Got date from IRC log name: 17 Aug 2010 Guessing minutes URL: http://www.w3.org/2010/08/17-rdb2rdf-minutes.html People with action items:[End of scribe.perl diagnostic output]