<juansequeda> trying to call in

<juansequeda> it says that the passcode is not valid

<juansequeda> anybody else having this problem?

<Ashok> scribenick: whalb

<Ashok> scribe: Wolfgang

accept minutes from last meeting

<Ashok> Admin PROPOSAL: Accept the minutes of last meeting, see http://www.w3.org/2010/08/10-rdb2rdf-minutes.html

no objections heard

minutes from 10 August accepted

Conclude discussion of Richard's comments on SQL-based approach

ashok: cygri not present, suggest to look at last e-mail and discuss it

Richard's comments on SQL-based approach

<Ashok> http://lists.w3.org/Archives/Public/public-rdb2rdf-wg/2010Aug/0004.html

ashok: went up to section 3 last time
... richard suggests to support URI templates

souri: similar to revelyx presentation
... in uri template document there is an example

<Souri> <URITemplate id="employee" value="http://example.com/emp/{empno}" />

<ericP> http://example.com/emp/{empno}" />

souri: emp is a variable
... empno value could be a column name
... almost like happening on the client side
... agree with proposition, but not a standard yet - going to become a standard
... it is not core to proposal

ashok: agrees

<cygri> hi Ashok, Souri and all... just quickly calling in to send regrets, flight was delayed and i'm still at the airport with nowhere to take the call... sorry!

juansequeda: there should be a standrd way of generating URIs

souri: uri template is a good way to do this
... uri template is an option, should keep it seperate from SELECT statement
... there are more pressing issues in the core itself
... we need to resolve the more complex problems before, like transaction tables

<ericP> "http://www4.wiwiss.fu-berlin.de/bizer/bsbm/v01/instances/dataFromVendor@@offer.publisher@@/Offer@@offer.nr@@"

<ericP> http://www4.wiwiss.fu-berlin.de/bizer/BerlinSPARQLBenchmark/V1/results/store_config_files/d2r-mapping.n3

ericP: scenario is a short-hand way to express simple things
... if somebody does a query and asks for something like...

<ericP> http://www4.wiwiss.fu-berlin.de/bizer/bsbm/v01/instances/dataFromVendor23/Offer18

ericP: this mapping can be reserved

<ericP> http://www4.wiwiss.fu-berlin.de/bizer/bsbm/v01/instances/dataFromVendor /foo/bar /Offer18

ericP: if expressivity was like above example it would need more to reserve it

<ericP> http://www4.wiwiss.fu-berlin.de/bizer/bsbm/v01/instances/dataFromVendor Bob /Offer18

<Souri> my note on this was: A somewhat unrelated aspect would be to consider automatic derivation of inverse expression (if any) since now we need to parse the URI template anyway.

juansequeda: you cannot expect that parsing the uri gives the semantics, is a security risk
... thats not the way it should be

ericp: we are not hiding primary key values
... you can include any attribute you like

juansequeda: potential sql injection like problem - comments from oracle?

<ericP> http://www4.wiwiss.fu-berlin.de/bizer/bsbm/v01/instances/dataFromVendor';+DROP+TABL+Products+/Offer18

juansequeda: could lead to an exploit

souri: as long as we use bind variables, defined variables it will not be part of sql treatment

juansequeda: if someone sends an uri and it is deferenced into the sql it might be a potential hack

souri: we are not having this problem today

juansequeda: there is a standard - life science ids - ...
... they were invented in anticipation of rdb2rdf and very likely...

<Souri> I wanted to ask whether we are introducing a new security problem?

juansequeda: address the problem

ericp: we cannot give up uri from sql

juansequeda: if somebody does not want to use URIs in sql?

<juansequeda> whalb, I meant if I don't want to put primary key values in the URI

ericp: soem companies might not use the standard because it violates principles

ashok: thats not going to happen
... the question is if this is the only way of creating a uri

<hhalpin> +1 Ashok

ashok: there are also other ways
... you could create a function
... the template is useful but it should not be the only technique

souri: it is not the only technique, but an option
... you can have an expression in the query itself
... if we have a template there are some positions that are variables
... should come out from the view / sql definition
... primary key column could be anything like that
... we can use it in uri template

<ericP> it could also be pk+1000 or concat(foo.fn, ",", foo.ln)

ashok: lets go on to 3.2

<ericP> all of these offer identical opportunities for injection attacks

<MacTed> it's important to state that this "option" is NOT best practice

<MacTed> even if available

hhalpin ?

souri: do not agree with that comment

<hhalpin> Just also pointing out templates is not the only option, but would be surprised if we did not allow some arbitrary function could generate URIs given a string identifer.

souri: you could create a superclass c

<juansequeda> +1 to hhalpin

souri: if i want to go to the posting it has some implications
... if i want to go to c1 i might have to do more work to find the ones that are c1s only

ashok: any comments?
... souri wants only one class mapped, richard suggests more

souri: rdf level granularity we should allow the same level

ashoK. dont see any disagreement here

<ericP> i think the same issue arises when you have more than one attribute mapped to the same RDF predicate

ashok: when you do a property map you allow the name from the view
... problem is you have to specify a view, you cannot put the sql here

<ericP> doctor.name => foaf:name patient.name => foaf:name

<ericP> SELECT ?doc { ?doc foaf:name "Bob" }

souri: it is a simple way of specifying
... when you are doing select * which one is the uri
... typically you get out values, not uris
... it is very likely that you need to modify the select * result to show uri
... you might need a specific uri template

ashok: 3.4 column names
... richard wants to allow a literal rather than column names
... seems ok to me

souri: agree basically to that one too
... just a note: how do you show that fact that a particular property has a constant value?

ashok: end of richard's comments - we can talk about that when richard is here next week

Revised SQL-based proposal from Souri

<Ashok> Revised SQL-based proposal from Souri http://www.w3.org/2001/sw/rdb2rdf/wiki/An_XML_Schema_for_SQL-based_RDB2RDF_Mapping_%28Revision_1%29 http://www.w3.org/2001/sw/rdb2rdf/wiki/Example_of_SQL-based_RDB2RDF_Mapping:_Revision_1

souri: the translation tables - how can we handle large tables in sql directly
... send e-mail with richard

<ericP> ironic, given that's exactly what we expect SQL to do for us

souri: main modifactions in current version
... the sql schema
... second block rdf subject added
... there is block called InstanceIdMap
... in GraphURIPropertyMap...
... now the property themselves point back
... extended the propertymap element by adding graphuri
... also added datatype - you can specify that a constant data type applying to each from database
... also added language
... more additions have to do with ComputedPropertyMap
... regarding ricahrd comment 2.4
... the computed property name is coming from a db column name
... the first name says whether it is computed or not
... the column will be the attribute - thats how the computed property name is defined
... we have to take sql injection into account
... in keymap definitions we need foreign key property
... if we do a join what is the join condition
... ForeignKeyPropertyMap has a ForeignKeyPropertyName which has a ParentClassName
... the JoinCondition is a string where sql injection comes into account
... looking at example from http://www.w3.org/2001/sw/rdb2rdf/wiki/Example_of_SQL-based_RDB2RDF_Mapping:_Revision_1
... in example there is ForeignKeyPropertyMap info
... the join condition we need to use in the translation from sparql to sql
... the child and parent will be replaced with the ref
... re. sql injection we take a string here and putting it directly in the sql
... we need to check here to be sure we can use it without sql injection probs

ericp: example looking for employee named bob
... anything we carry through, regardless if its identifier we offer the opportunity of injection
... industry standard like in php do checking of potential sql injection

souri: here we use expression
... if we use bind variable it cannot cause sql injection
... had idea that join condition includes equals
... join condition defined as pairs

ericp: protecting yourself from people with write access

souri: yes but if you have access to table t1 you should not be able to access table t2
... it is important but my idea might be a solution for the prob
... we can individually check each part of the pair

ericp: the person who has write privileges in the config file should someone you trust to a certain level
... we are not protecting use from people who configure the db and not from users

souri: thats the point - not everybody can write the specs
... it is better not to even trust the guy who is writing the config

ericp: can we protect ourselves from that person anyway?

souri: yes, at oracle there are many security checks performed
... joincond could be unlimited number of pairs
... from that pov we are not losing anything
... example does not show everything, have to extend that example

ashok: will be out next week, michael will be back
... we should carry on here and then write it down formally

<hhalpin> +1 writing it up asap

ericp: have started document draft, can continue on it

<hhalpin> we can change telecon times.

This is scribe.perl Revision: 1.135  of Date: 2009/03/02 03:52:20  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: RRSAgent_Text_Format (score 1.00)

Succeeded: s/Ashok\/Ashok/
Succeeded: s/heared/heard/
Found ScribeNick: whalb
Found Scribe: Wolfgang
Present: Ashok EricP HarryHalpin Ivan Juan LeeF Ted Souri Wolfgang
Regrets: Boris Marcelo AlexDeLeon Richard
Got date from IRC log name: 17 Aug 2010
Guessing minutes URL: http://www.w3.org/2010/08/17-rdb2rdf-minutes.html
People with action items: