You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jena.apache.org by bu...@apache.org on 2013/04/16 13:41:49 UTC
svn commit: r858661 - in /websites/staging/jena/trunk/content: ./
documentation/query/index.html
documentation/query/paramertized-sparql-string.html
documentation/query/parameterized-sparql-strings.html
Author: buildbot
Date: Tue Apr 16 11:41:49 2013
New Revision: 858661
Log:
Staging update by buildbot for jena
Added:
websites/staging/jena/trunk/content/documentation/query/parameterized-sparql-strings.html
Removed:
websites/staging/jena/trunk/content/documentation/query/paramertized-sparql-string.html
Modified:
websites/staging/jena/trunk/content/ (props changed)
websites/staging/jena/trunk/content/documentation/query/index.html
Propchange: websites/staging/jena/trunk/content/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Tue Apr 16 11:41:49 2013
@@ -1 +1 @@
-1468279
+1468378
Modified: websites/staging/jena/trunk/content/documentation/query/index.html
==============================================================================
--- websites/staging/jena/trunk/content/documentation/query/index.html (original)
+++ websites/staging/jena/trunk/content/documentation/query/index.html Tue Apr 16 11:41:49 2013
@@ -222,6 +222,7 @@ SPARQL is the query language developed b
</li>
<li><a href="sparql-remote.html">Querying remote SPARQL services</a></li>
<li><a href="programmatic.html">Constructing queries programmatically</a></li>
+<li><a href="parameterized-sparql-strings.html">Parameterized query strings</a></li>
<li><a href="algebra.html">ARQ and the SPARQL algebra</a></li>
<li><a href="arq-query-eval.html">Extending ARQ query execution and accessing different storage implementations</a></li>
</ul>
Added: websites/staging/jena/trunk/content/documentation/query/parameterized-sparql-strings.html
==============================================================================
--- websites/staging/jena/trunk/content/documentation/query/parameterized-sparql-strings.html (added)
+++ websites/staging/jena/trunk/content/documentation/query/parameterized-sparql-strings.html Tue Apr 16 11:41:49 2013
@@ -0,0 +1,245 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<!--
+
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE- 2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+ <link href="/css/jena.css" rel="stylesheet" type="text/css">
+
+ <title>Apache Jena - Parameterized SPARQL String</title>
+ <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+ <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js" type="text/javascript"></script>
+ <script src="/js/jena-navigation.js" type="text/javascript"></script>
+</head>
+
+<body>
+ <div id="header">
+ <div id="logoblock">
+ <img alt="Apache Jena" src="/images/jena-logo/jena-logo-small.png"/>
+ </div>
+
+ <div id="titleblock">
+ <h1 class="title">Apache Jena</h1>
+ <div id="topmenu" class="tabbar round-10">
+ <ul>
+ <li class="round-top-8"><a class="round-top-8" href="/index.html" id="home_menu">Home</a></li>
+ <li class="round-top-8"><a class="round-top-8" href="/help_and_support/index.html">Support</a></li>
+ <li class="round-top-8"><a class="round-top-8" href="/getting_started/index.html">Getting started</a></li>
+ <li class="round-top-8"><a class="round-top-8" href="/tutorials/index.html">Tutorials</a></li>
+ <li class="round-top-8"><a class="round-top-8" href="/documentation/index.html">Documentation</a></li>
+ </ul>
+ </div>
+ </div>
+ </div>
+
+ <div id="navigation" class="clear">
+ <h1 id="quick-links">Quick links</h1>
+<ul>
+<li><a href="/index.html">Home</a></li>
+<li><a href="/download/index.html">Downloads</a></li>
+<li><a href="/help_and_support/index.html">Help and support</a></li>
+<li><a href="/help_and_support/bugs_and_suggestions.html">Report a bug</a></li>
+<li><a href="/about_jena/roadmap.html">Roadmap</a></li>
+<li><a href="/getting_involved/index.html">Getting involved</a></li>
+<li><a href="/documentation/">Documentation</a></li>
+</ul>
+<h1 id="about-jena">About Jena</h1>
+<ul>
+<li><a href="/index.html">Home</a></li>
+<li><a href="/about_jena/about.html">About Jena</a></li>
+<li><a href="/about_jena/architecture.html">Architecture</a></li>
+<li><a href="/about_jena/roadmap.html">Roadmap</a></li>
+<li><a href="/about_jena/team.html">Project team</a></li>
+<li><a href="/about_jena/contributions.html">Related projects</a></li>
+</ul>
+<h1 id="download">Download</h1>
+<ul>
+<li><a href="/download/index.html">Downloading Jena</a></li>
+<li><a href="/download/maven.html">Using Maven</a></li>
+<li><a href="/download/osgi.html">Using OSGi</a></li>
+</ul>
+<h1 id="help-and-support">Help and support</h1>
+<ul>
+<li><a href="/help_and_support/index.html">Getting help</a></li>
+<li><a href="/help_and_support/bugs_and_suggestions.html">Bugs and suggestions</a></li>
+</ul>
+<h1 id="getting-started">Getting Started</h1>
+<ul>
+<li><a href="/getting_started/index.html">A first Jena project</a></li>
+<li><a href="/getting_started/rdf_api.html">RDF API overview</a></li>
+<li><a href="/getting_started/sparql.html">Querying RDF with SPARQL</a></li>
+<li><a href="/getting_started/fuseki.html">Serving RDF over HTTP</a></li>
+<li><a href="/getting_started/tell_me_how.html">Tell me how to ...</a></li>
+</ul>
+<h1 id="tutorials">Tutorials</h1>
+<ul>
+<li><a href="/tutorials/index.html">Tutorials index</a></li>
+<li><a href="/tutorials/rdf_api.html">RDF tutorial</a></li>
+<li><a href="/tutorials/sparql.html">SPARQL queries</a></li>
+<li><a href="/tutorials/using_jena_with_eclipse.html">Using Jena with Eclipse</a></li>
+</ul>
+<h1 id="documentation">Documentation</h1>
+<ul>
+<li><a href="/documentation/index.html">Overview</a></li>
+<li><a href="/documentation/javadoc/">Javadoc</a></li>
+<li><a href="/documentation/rdf/index.html">RDF</a></li>
+<li><a href="/documentation/io/index.html">I/O</a></li>
+<li><a href="/documentation/query/index.html">SPARQL (ARQ)</a><ul>
+<li><a href="/documentation/query/app_api.html">Application API</a></li>
+<li><a href="/documentation/query/cmds.html">Command line utilities</a></li>
+</ul>
+</li>
+<li><a href="/documentation/tdb/index.html">TDB</a><ul>
+<li><a href="/documentation/tdb/tdb_transactions.html">API for Transactions</a></li>
+<li><a href="/documentation/tdb/assembler.html">Dataset Assembler</a></li>
+</ul>
+</li>
+<li><a href="/documentation/serving_data/index.html">Fuseki: Serving Data</a></li>
+<li><a href="/documentation/ontology/index.html">Ontology</a></li>
+<li><a href="/documentation/inference/index.html">Inference</a></li>
+<li><a href="/documentation/assembler/index.html">Assembler</a><ul>
+<li><a href="/documentation/assembler/assembler-howto.html">Assembler how-to</a></li>
+<li><a href="/documentation/assembler/inside-assemblers.html">Inside assemblers</a></li>
+</ul>
+</li>
+<li><a href="/documentation/sdb/index.html">SDB</a></li>
+<li><a href="/documentation/larq/index.html">LARQ: Free Text Search</a></li>
+<li><a href="/documentation/notes/index.html">Notes</a><ul>
+<li><a href="/documentation/notes/concurrency-howto.html">Concurrency how-to</a></li>
+<li><a href="/documentation/notes/event-handler-howto.html">Event handler how-to</a></li>
+<li><a href="/documentation/notes/file-manager.html">File manager how-to</a></li>
+<li><a href="/documentation/notes/model-factory.html">Model factory how-to</a></li>
+<li><a href="/documentation/notes/rdf-frames.html">RDF frames</a></li>
+<li><a href="/documentation/notes/reification.html">Reification how-to</a></li>
+<li><a href="/documentation/notes/typed-literals.html">Typed literals how-to</a></li>
+<li><a href="/documentation/notes/iri.html">Support for IRI's</a></li>
+<li><a href="/documentation/notes/sse.html">SSE</a></li>
+</ul>
+</li>
+<li><a href="/documentation/tools/index.html">Tools</a><ul>
+<li><a href="/documentation/tools/schemagen.html">schemagen</a></li>
+<li><a href="/documentation/tools/eyeball-getting-started.html">eyeball</a></li>
+</ul>
+</li>
+</ul>
+<h1 id="getting-involved">Getting Involved</h1>
+<ul>
+<li><a href="/getting_involved/index.html">Contributing to Jena</a><ul>
+<li><a href="/getting_involved/reviewing_contributions.html">Reviewing Contributions</a></li>
+</ul>
+</li>
+</ul>
+<h1 id="asf-links">ASF links</h1>
+<ul>
+<li><a href="http://www.apache.org">Apache Software Foundation</a></li>
+<li><a href="http://www.apache.org/licenses/LICENSE-2.0">License</a></li>
+<li><a href="http://www.apache.org/foundation/thanks.html">Thanks</a></li>
+<li><a href="http://www.apache.org/foundation/sponsorship.html">Become a Sponsor</a></li>
+<li><a href="http://www.apache.org/security/">Security</a></li>
+</ul>
+ </div>
+
+ <div id="content">
+ <h1 class="title">Parameterized SPARQL String</h1>
+ <p>A Parameterized SPARQL String is a SPARQL query/update into which values
+may be injected.</p>
+<h3 id="injecting-values">Injecting Values</h3>
+<p>Values may be injected in several ways:</p>
+<ul>
+<li>By treating a variable in the SPARQL string as a parameter</li>
+<li>Using JDBC style positional parameters</li>
+<li>Appending values directly to the command text being built</li>
+</ul>
+<h4 id="variable-parameters">Variable Parameters</h4>
+<p>Any variable in the command may have a value injected to it, injecting a
+value replaces all usages of that variable in the command i.e.
+substitutes the variable for a constant, injection is done by textual
+substitution.</p>
+<h4 id="positional-parameters">Positional Parameters</h4>
+<p>You can use JDBC style positional parameters if you prefer, a JDBC style
+parameter is a single <tt>?</tt> followed by whitespace or certain
+punctuation characters (currently <tt>; , .</tt>). Positional parameters
+have a unique index which reflects the order in which they appear in the
+string. Positional parameters use a zero based index.</p>
+<h4 id="buffer-usage">Buffer Usage</h4>
+<p>Additionally you may use this purely as a <code>StringBuffer</code>
+replacement for creating queries since it provides a large variety of
+convenience methods for appending things either as-is or as nodes (which
+causes appropriate formatting to be applied).</p>
+<h3 id="intended-usage">Intended Usage</h3>
+<p>The intended usage of this is where using a <code>QuerySolutionMap</code> as
+initial bindings is either inappropriate or not possible e.g.</p>
+<ul>
+<li>Generating query/update strings in code without lots of error prone
+ and messy string concatenation</li>
+<li>Preparing a query/update for remote execution</li>
+<li>Where you do not want to simply say some variable should have a
+ certain value but rather wish to insert constants into the
+ query/update in place of variables</li>
+<li>Defending against SPARQL injection when creating a query/update
+ using some external input, see SPARQL Injection notes for
+ limitations.</li>
+<li>Provide a more convenient way to prepend common prefixes to your
+ query</li>
+</ul>
+<p>This class is useful for preparing both queries and updates hence the
+generic name as it provides programmatic ways to replace variables in
+the query with constants and to add prefix and base declarations. A
+<code>Query</code> or <code>UpdateRequest</code> can be created using
+the <code>asQuery()</code> and <code>asUpdate()</code> methods assuming the command an
+instance represents is actually valid as a query/update.</p>
+<h3 id="warnings">Warnings</h3>
+<ol>
+<li>Note that this class does not in any way check that your command is
+ syntactically correct until such time as you try and parse it as a
+ <code>Query</code> or <code>UpdateRequest</code>.</li>
+<li>Also note that injection is done purely based on textual
+ replacement, it does not understand or respect variable scope in any
+ way. For example if your command text contains sub queries you
+ should ensure that variables within the sub query which you don't
+ want replaced have distinct names from those in the outer query you
+ do want replaced (or vice versa)</li>
+</ol>
+<h3 id="sparql-injection-notes">SPARQL Injection Notes</h3>
+<p>While this class was in part designed to prevent SPARQL injection it is
+by no means foolproof because it works purely at the textual level. The current
+version of the code addresses some possible attack vectors that the
+developers have identified but we do not claim to be sufficiently devious to
+have thought of and prevented every possible attack vector.</p>
+<p>Therefore we <strong>strongly</strong> recommend that users concerned about
+ SPARQL Injection attacks perform their own validation on provided parameters
+ and test their use of this class themselves prior to its use in any security
+ conscious deployment. We also recommend that users do not use easily
+ guess-able variable names for their parameters as these can allow a chained
+ injection attack though generally speaking the code should prevent these.</p>
+ </div>
+
+ <div id="footer">
+ <div class="copyright">
+ <p>
+ Copyright © 2011–2013 The Apache Software Foundation, Licensed under
+ the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.
+ <br />
+ Apache Jena, Jena, the Apache Jena project logo,
+ Apache and the Apache feather logos are trademarks of The Apache Software Foundation.
+ </p>
+ </div>
+ </div>
+
+</body>
+</html>