-
-
Notifications
You must be signed in to change notification settings - Fork 66
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Parameterization #661
Comments
Hi! That's a great point. Parameterization is indeed not implemented yet (and not standardized yet, there are two conflicting approaches...).
There is already a fairly simple solution: use the Oxigraph-provided RDF term objects ( |
Hi, thanks for the quick response :)
If the lack of standardization is a concern for implementation, perhaps a solution might be to make it require specifying an "unstable, might break in the future" flag? Something like
Ah, I hadn't noticed that that was an option. I'm not sure if it's mentioned in the documentation - I may have overlooked it. I assume this would involve using a TripleRef to represent and serialize the entire triple, for eg. storing new triples? Or would it be no different to manually concatenate the An additional issue would be that if using (The reason I'm looking to use |
Both works. The serialization of I would tend to think that parametrization is possible. The way I would implement it is follow the SPARQL-dev substitution proposal. It is the approach that seems the best to me (easy to implement because it follows how |
Is your feature request related to a problem? Please describe.
I'm currently evaluating Oxigraph for a project, but it seems to be missing a pretty important feature for dealing with untrusted data - query parameterization. In SQL implementations, this is a widespread feature nowadays, allowing for dynamically specified values to be provided separately from the query itself, so that malicious actors cannot modify the query structurally by specifying maliciously-formatted values.
Describe the solution you'd like
A way to specify placeholder bindings in the query that parameters can then be separately specified for, in such a way that the parameter values are guaranteed to never go through a SPARQL parser (ie. there is an entirely separate processing path from specification to query execution, with no string concatenation/formatting step inbetween). Both for library use, and for the server implementation (Stardog's approach may be useful here).
Describe alternatives you've considered
Additional context
Many other triplestores, like Stardog, Jena, or dotNetRDF already seem to implement such functionality. It also seems to have been considered for standardization at some point, but it's not clear to me how that played out in the end.
The text was updated successfully, but these errors were encountered: