Kingsley,
I'm not sure exactly how this helps me. Let me be clearer on the problem.
Because this application runs within a federal government site, I'm required to
submit my source code to static analysis. Although the data is read-only, and
the database user has only read-only access, there are still general guidelines.
I'm inquiring in the sense therefore that I want to figure out the boundaries
of how Virtuoso JDBC can enable me to pass these guidelines, even though I
think I can get an exemption by labeling the SQL injection complaint a false
positive.
What I'm talking about is doing this through a JDBC interface, and rather than
using a query of the form:
String queryFormat = "SPARQL"
+ " define input:inference \"http://id.nlm.nih.gov/mesh/vocab\"";
+ " PREFIX rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#>"
+ " PREFIX rdfs: <http://www.w3.org/2000/01/rdf-schema#>"
+ " PREFIX xsd: <http://www.w3.org/2001/XMLSchema#>"
+ " PREFIX owl: <http://www.w3.org/2002/07/owl#>"
+ " PREFIX meshv: <http://id.nlm.nih.gov/mesh/vocab#>"
+ " PREFIX mesh: <http://id.nlm.nih.gov/mesh/>"
+ " SELECT ?l"
+ " FROM <http://id.nlm.nih.gov/mesh>"
+ " WHERE { mesh:%s %s ?l }";
String query = String.format(queryFormat, id, prop);
log.info(query);
Statement stmt = connection.createStatement();
ResultSet rset = stmt.executeQuery(query);
I would rather do this using a prepared statement, maybe still formatting in
the property so that the query plan can benefit from the predicate index:
String queryFormat = "SPARQL"
+ " define input:inference \"http://id.nlm.nih.gov/mesh/vocab\"";
+ " PREFIX rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#>"
+ " PREFIX rdfs: <http://www.w3.org/2000/01/rdf-schema#>"
+ " PREFIX xsd: <http://www.w3.org/2001/XMLSchema#>"
+ " PREFIX owl: <http://www.w3.org/2002/07/owl#>"
+ " PREFIX meshv: <http://id.nlm.nih.gov/mesh/vocab#>"
+ " PREFIX mesh: <http://id.nlm.nih.gov/mesh/>"
+ " SELECT ?l"
+ " FROM <http://id.nlm.nih.gov/mesh>"
+ " WHERE { ?? %s ?l }";
String query = String.format(queryFormat, prop);
log.info(query);
PreparedStatement stmt = connection.prepareStatement(query);
stmt.setString(1, "http://id.nlm.nih.gov/mesh/"+id);
So far, this general approach of using a prepared statement is not working for
me. I may struggle through it, but is there anyway for me to preserve the
convenience of prefixes:
... WHERE { mesh:?? %s ?l };
And then later bind the query argument?
From: Kingsley Idehen [mailto:kide...@openlinksw.com]
Sent: Friday, October 21, 2016 6:36 PM
To: virtuoso-users@lists.sourceforge.net
Subject: Re: [Virtuoso-users] Using PREFIX in a prepared Statement
On 10/21/16 5:36 PM, Davis, Daniel (NIH/NLM) [C] wrote:
So, I must run my application through a source code scanner, and it is
reasonably complaining that I am using String.format() and
stmt.executeQuery(query) with the Virtuoso JDBC connection.
Yet, this is SPARQL. I see some discussion of prepared statements on this
list in the past. What I want to know is:
* What is the best way to get this to work at all?
* Is there any way I can bind a parameter whose value includes a PREFIX
in the query? Something like stmt.setString(1, "mesh:D20189");
Dan Davis, Systems/Applications Architect (Contractor),
Office of Computer and Communications Systems,
National Library of Medicine, NIH
I assume your query is of the form:
SPARQL
{SPARQL-Query}
OR
SELECT {SELECT-LIST}
FROM {SPARQL {SPARQL-QUERY} } AS {SQL Tabular Relation ALIAS} .
[1] http://bit.ly/sparql-as-sql-tabular-relation -- SPARQL Query as SQL Tabular
Relation (note: user "vdb" for user and pwd) in FROM CLAUSE
[2] http://bit.ly/sparql-as-sql-tabular-relation2 -- SPARQL Query as SQL
Tabular Relation
--
Regards,
Kingsley Idehen
Founder & CEO
OpenLink Software (Home Page: http://www.openlinksw.com)
Weblogs (Blogs):
Legacy Blog: http://www.openlinksw.com/blog/~kidehen/
Blogspot Blog: http://kidehen.blogspot.com
Medium Blog: https://medium.com/@kidehen
Profile Pages:
Pinterest: https://www.pinterest.com/kidehen/
Quora: https://www.quora.com/profile/Kingsley-Uyi-Idehen
Twitter: https://twitter.com/kidehen
Google+: https://plus.google.com/+KingsleyIdehen/about
LinkedIn: http://www.linkedin.com/in/kidehen
Web Identities (WebID):
Personal: http://kingsley.idehen.net/dataspace/person/kidehen#this
:
http://id.myopenlink.net/DAV/home/KingsleyUyiIdehen/Public/kingsley.ttl#this
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Virtuoso-users mailing list
Virtuoso-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/virtuoso-users
