Parameterized query

[wonkydonky]

Is it possible to use this library to create a SPARQL query using parameters? I'm trying to avoid string concatenation for building my queries, but I can't find any library that does this.

For example:

    sparql = SPARQLWrapper ("endpoint")
    sparql.setQuery ('select * where { ?sbj ex:name "' + name + '" }')

should be instead

    sparql = SPARQLWrapper ("endpoint")
    sparql.setQuery ('select * where { ?sbj ex:name $name }', name='Alice')

[dayures]

I think that the issue raised is more related to "how to contatenate strings" than the use of the library itself.

Without changing the library, I have prepared a quick example using the module Template.

from SPARQLWrapper import SPARQLWrapper, JSON
from string import Template

sparql = SPARQLWrapper("http://dbpedia.org/sparql")

query = Template("""
    PREFIX rdfs: <http://www.w3.org/2000/01/rdf-schema#>
    SELECT ?label
    WHERE { $uri rdfs:label ?label }
""")

sparql.setQuery(query.substitute(uri='<http://dbpedia.org/resource/Asturias>'))
sparql.setReturnFormat(JSON)
results = sparql.query().convert()
for result in results["results"]["bindings"]:
    print result["label"]["value"]

[wonkydonky]

@dayures thanks for example. The problem however is not about concatenating strings, I'd say it's about sanitizing the input. For example

    query = Template("""
        SELECT *
        WHERE {
            ?sbj ex:name $name
        }
    """)

I'm looking for a way to replace $name with a sanitized value, that is it should be escaped.

[dayures]

@wonkydonky What do you mean by sanitized ? could you provide an example of not sanitized?

[wonkydonky]

• http://download.oracle.com/oll/tutorials/SQLInjection/html/lesson1/les01_tm_ovw3.htm
• https://www.quora.com/What-does-it-mean-to-sanitize-a-field-How-is-that-related-to-escaping-as-in-entering-in-malicious-input-that-escapes-or-something
• https://www.esecurityplanet.com/browser-security/prevent-web-attacks-using-input-sanitization.html

[wonkydonky]

could you provide an example of not sanitized?

In the query above, a valid $name is "alice" and an invalid one is "alice o"brian" (the quote in the middle should be escaped" or @½-³ (this should be quoted). In short anything that breaks the query syntax or that doesn't guard against injection attacks.

[dayures]

Related documentation: http://www.morelab.deusto.es/code_injection/

[dayures]

@wonkydonky do you know any module that provides helpers to know if a string is sanitized (in terms of SPARQL)?

BTW, I am thinking if this interesting issue should to be tackle within the scope of SPARQLWrapper or, maybe, the responsanbility for checking if the query is sanitized belongs to another element.

[dayures]

Thanks for contributing to this issue. As it has been 90 days since the last activity, we are automatically closing the issue. This is often because the request was already solved in some way and it just wasn't updated or it's no longer applicable. If that's not the case, please do feel free to either reopen this issue or open a new one. We'll gladly take a look again!