Skip to toolbar

Community & Business Groups

“What’s the best way to parameterize SPARQL queries?”

The gist: as a tokenized query protocol, it is not ‘safe’ to build SPARQL queries by concatenating strings which may contain user-supplied input.

In SQL, this is called “SQL Injection”:

It may be tempting to suggest that this is not an issue for read-only SPARQL queries, but resource exhaustion can also be a very real concern; especially with RDF JavaScript Libraries which are used to prepare queries.


One Response to “What’s the best way to parameterize SPARQL queries?”

  • Austin Wright

    SPARQL already has a really neat feature of its syntax, the variable. In my query library, I offer the option to bind a variable in the query to a specific value, so then then you can perform the query similarly to a prepared statement.

    For databases in general, I’d only ever consider using prepared statements.


Leave a Reply

Your email address will not be published. Required fields are marked *

Before you comment here, note that this forum is moderated and your IP address is sent to Akismet, the plugin we use to mitigate spam comments.