Theo Stefou
Reputation: 645
How to protect my system, which runs the Sesame triplestore, from injections when querying using SPARQL?
Title says it all. Is there something equivalent to SQL's prepared statements?
Upvotes: 0
Views: 174
Answers (1)
Jeen Broekstra
Reputation: 22042
(assuming you are using a recent version of RDF4J, and not Sesame)
To prevent vulnerabilities due to injection, a simple approach is to use a prepared query, and use Query#setBinding to inject actual user input values into your query. For example:
// some input keyword to inject
String keyword = "foobar";
TupleQuery query = con.prepareTupleQuery(
"PREFIX ex: <htt://example.org/> "
+ "SELECT ?document WHERE { ?document ex:keyword ?keyword . }");
// inject the input keyword
query.setBinding("keyword", factory.createLiteral(keyword));
// execute the query
TupleQueryResult result = query.evaluate();
For more advanced control, RDF4J also has a SparqlBuilder, a fluent API for creating SPARQL queries in Java, for this purpose. For example:
String keyword = "foobar";
Prefix ex = SparqlBuilder.prefix("ex", Rdf.iri("http://example.org/"));
Variable document = SparqlBuilder.var("document");
SelectQuery query = Queries.SELECT().prefix(ex).select(document)
.where(GraphPatterns.tp(document, ex.iri("keyword"), Rdf.literalOf(keyword));
Upvotes: 1
Related Questions
- Preventing NoSQL injections with Elasticsearch
- What URI to use for a Sesame repository while executing a SPARQL ADD query
- SPARQL UPDATE validation
- All SPARQL queries to my Sesame data store fail (returning nothing). What do I have configured incorrectly?
- Storing separately individuals and ontology in sesame store
- How do I query a SPARQL endpoint such as DBPedia with Sesame?
- Query RDF using SPARQL / Sesame
- Sesame : how to remove the inference during queries?
- SPARQL queries equivalence issue?
- Sesame SPARQL endpoint read-only