A Parameterized SPARQL String is a SPARQL query/update into which values may be injected.
Injecting Values
Values may be injected in several ways:
- By treating a variable in the SPARQL string as a parameter
- Using JDBC style positional parameters
- Appending values directly to the command text being built
Variable Parameters
Any variable in the command may have a value injected to it, injecting a value replaces all usages of that variable in the command i.e. substitutes the variable for a constant, injection is done by textual substitution.
Positional Parameters
You can use JDBC style positional parameters if you prefer, a JDBC style parameter is a single {@code ?} followed by whitespace or certain punctuationcharacters (currently {@code ; , .}). Positional parameters have a unique index which reflects the order in which they appear in the string. Positional parameters use a zero based index.
Buffer Usage Additionally you may use this purely as a {@link StringBuffer} replacement for creating queries since it provides alarge variety of convenience methods for appending things either as-is or as nodes (which causes appropriate formatting to be applied). Intended Usage
The intended usage of this is where using a {@link QuerySolutionMap} asinitial bindings is either inappropriate or not possible e.g.
- Generating query/update strings in code without lots of error prone and messy string concatenation
- Preparing a query/update for remote execution
- Where you do not want to simply say some variable should have a certain value but rather wish to insert constants into the query/update in place of variables
- Defending against SPARQL injection when creating a query/update using some external input, see SPARQL Injection notes for limitations.
- Provide a more convenient way to prepend common prefixes to your query
This class is useful for preparing both queries and updates hence the generic name as it provides programmatic ways to replace variables in the query with constants and to add prefix and base declarations. A {@link Query} or{@link UpdateRequest} can be created using the {@link #asQuery()} and{@link #asUpdate()} methods assuming the command an instance represents isactually valid as a query/update.
Warnings
- Note that this class does not in any way check that your command is syntactically correct until such time as you try and parse it as a {@link Query} or {@link UpdateRequest}.
- Also note that injection is done purely based on textual replacement, it does not understand or respect variable scope in any way. For example if your command text contains sub queries you should ensure that variables within the sub query which you don't want replaced have distinct names from those in the outer query you do want replaced (or vice versa)
SPARQL Injection Notes
While this class was in part designed to prevent SPARQL injection it is by no means foolproof because it works purely at the textual level. The current version of the code addresses some possible attack vectors that the developers have identified but we do not claim to be sufficiently devious to have thought of and prevented every possible attack vector.
Therefore we strongly recommend that users concerned about SPARQL Injection attacks perform their own validation on provided parameters and test their use of this class themselves prior to its use in any security conscious deployment. We also recommend that users do not use easily guess-able variable names for their parameters as these can allow a chained injection attack though generally speaking the code should prevent these.