imprint

Channel #semsol: Logs

This is a public chat log generated from the #semsol IRC channel.

Date

< 2009>< 03 >< 13 >

09:23:37 elbart: how can I correctly escape characters for a sparql query? I have literals and URIs. Now I have to filter them, otherwise I have the same problem as with SQL (SQL injection).

09:26:18 elbart: does ARC2 provide such a method?

09:26:30 elbart: or how do you solve this problem?

09:27:17 bengee: so far, arc only does mysql_real_escape

09:28:33 elbart: hm but this is not enough for URIs, isnt'it

09:28:59 elbart: I mean does mysql_real_escape escape the '<' and '>' characters

09:29:08 bengee: broken URIs won't get through the SPARQL parser

09:30:15 bengee: the achilles heel of a sparql system is the REGEX filter

09:30:49 elbart: there's another problem if I have literals

09:30:52 elbart: foaf:nick e.g.

09:31:00 elbart: and the nick contains "

09:31:09 elbart: how do you solve it?

09:31:23 bengee: it has to be valid turtle

09:31:25 elbart: then you have something like "foo " bar "

09:31:38 elbart: sry how is that solve in turtle?

09:31:51 bengee: """foo " bar"""

09:31:59 bengee: or 'foo " bar'

09:32:05 elbart: ah this was what i was searching for, thx

09:34:47 bengee: arc tries to create the right quotation marks. if the string is already like """foo \'\'\' bar " baz 'bat""" it'll escape or tweak the string

09:36:25 bengee: there may still be a way to sneak in malicious code, though. if you find anything please ping me

09:36:35 elbart: k but if i don't escape it while creating the query then there is still the security leak of injection

09:37:20 elbart: maybe an escape method with like escape($value, $type) with $type = literal|uri would be useful

09:37:47 bengee: the god thing is that there's a 2-step process. each query MUST be valid SPARQL, and then it's escaped when converted to SQL

09:37:55 bengee: so you can't get to the SLQ directly

09:38:01 bengee: s/SLQ/SQL/

09:38:21 bengee: s/god/good/ sigh

09:38:39 elbart: yeah i don't talk about sql injection, I'm talking about SPARQL injection ;)

09:40:00 bengee: ah, ok, but that's beyond arc then, unless you use the sparqlscript component which supports parameters

09:41:27 elbart: no

09:41:40 elbart: I have a $value lets say from $_GET

09:42:15 elbart: and I want to insert this value like this: INSERT INTO <foobar> { <foobar> foaf:nick "$value" }

09:42:59 elbart: then $value could be "foobar" . <foobar> foaf:givenname "haha hacked" ."

09:43:33 bengee: right

09:51:02 bengee: what you could do is parsing your template and checking the number of triples or the term types before you insert the pattern in the sparql query

09:59:27 elbart: the " => "" should do the job

Logs