使用 SPARQL 查询时,如何保护运行 Sesame Triplestore 的系统免受注入?
[英]How to protect my system, which runs the Sesame triplestore, from injections when querying using SPARQL?
问题描述
Title says it all.
标题说明了一切。 Is there something equivalent to SQL's prepared statements?是否有与 SQL 的预处理语句等效的东西?
1 个解决方案
解决方案1
1 2019-11-16 08:59:13
(assuming you are using a recent version of RDF4J, and not Sesame) (假设您使用的是最新版本的 RDF4J,而不是 Sesame)
To prevent vulnerabilities due to injection, a simple approach is to use a prepared query , and use Query#setBinding to inject actual user input values into your query.为了防止由于注入导致的漏洞,一个简单的方法是使用准备好的查询,并使用Query#setBinding将实际的用户输入值注入到您的查询中。 For example:例如:
// some input keyword to inject
String keyword = "foobar";
TupleQuery query = con.prepareTupleQuery(
"PREFIX ex: <htt://example.org/> "
+ "SELECT ?document WHERE { ?document ex:keyword ?keyword . }");
// inject the input keyword
query.setBinding("keyword", factory.createLiteral(keyword));
// execute the query
TupleQueryResult result = query.evaluate();
For more advanced control, RDF4J also has a SparqlBuilder , a fluent API for creating SPARQL queries in Java, for this purpose.对于更高级的控制,RDF4J 还有一个SparqlBuilder ,一个流利的 API 用于在 Java 中创建 SPARQL 查询,用于此目的。 For example:例如:
String keyword = "foobar";
Prefix ex = SparqlBuilder.prefix("ex", Rdf.iri("http://example.org/"));
Variable document = SparqlBuilder.var("document");
SelectQuery query = Queries.SELECT().prefix(ex).select(document)
.where(GraphPatterns.tp(document, ex.iri("keyword"), Rdf.literalOf(keyword));
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.