- Avoid SPARQL injection vulnerabilities by using prepared statements.
When using Tracker, queries must be constructed using prepared statements, otherwise arbitrary SPARQL could be provided by the user which would affect the query, potentially resulting in unauthorised user data disclosure. This would be an SQL injection vulnerability.
To build a SPARQL query, use
which prevents SPARQL injection vulnerabilities as long as its ‘raw’ APIs
aren’t used. If its raw APIs are used, be very careful to escape all external
input to the query using
before including it in the query.