“What’s the best way to parameterize SPARQL queries?”
Posted on:The gist: as a tokenized query protocol, it is not ‘safe’ to build SPARQL queries by concatenating strings which may contain user-supplied input.
In SQL, this is called “SQL Injection”:
- CWE-89: Improper Neutralization of special elements used in an SQL command (‘SQL Injection’)
- http://cwe.mitre.org/top25/#CWE-89
It may be tempting to suggest that this is not an issue for read-only SPARQL queries, but resource exhaustion can also be a very real concern; especially with RDF JavaScript Libraries which are used to prepare queries.
SPARQL already has a really neat feature of its syntax, the variable. In my query library, I offer the option to bind a variable in the query to a specific value, so then then you can perform the query similarly to a prepared statement.
For databases in general, I’d only ever consider using prepared statements.