Skip to toolbar

Community & Business Groups

“What’s the best way to parameterize SPARQL queries?”

The gist: as a tokenized query protocol, it is not ‘safe’ to build SPARQL queries by concatenating strings which may contain user-supplied input.

In SQL, this is called “SQL Injection”:

It may be tempting to suggest that this is not an issue for read-only SPARQL queries, but resource exhaustion can also be a very real concern; especially with RDF JavaScript Libraries which are used to prepare queries.


Comments are closed.