“What’s the best way to parameterize SPARQL queries?”

http://www.reddit.com/r/semanticweb/comments/1e3fq0/whats_the_best_way_to_parameterize_sparql_queries/

The gist: as a tokenized query protocol, it is not ‘safe’ to build SPARQL queries by concatenating strings which may contain user-supplied input.

In SQL, this is called “SQL Injection”:

It may be tempting to suggest that this is not an issue for read-only SPARQL queries, but resource exhaustion can also be a very real concern; especially with RDF JavaScript Libraries which are used to prepare queries.

 

One Response to “What’s the best way to parameterize SPARQL queries?”

  1. Austin Wright says:

    SPARQL already has a really neat feature of its syntax, the variable. In my query library, I offer the option to bind a variable in the query to a specific value, so then then you can perform the query similarly to a prepared statement.

    For databases in general, I’d only ever consider using prepared statements.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Before you comment here, note that this forum is moderated and your IP address is sent to Akismet, the plugin we use to mitigate spam comments.