26 Jun
2022
26 Jun
'22
12:58 p.m.
Hello,
How to write secure queries when the queried text nodes contain ampersands? For instance:
declare variable $publisher external; (: $pub == 'Faber & Faber' :) declare variable $db := db:open('db');
let $records := $db/record/publisher[. = $publisher] (: publisher == 'Faber & Faber' :)
The external variable is unsafe input, escaped by the sending application. Escaping the ampersand in the external variable with & (& a m p ;) doesn't work, Basex stops finding hits. Just letting the ampersand pass might expose the code to injection attacks? I could switch to a full-text query and remove the ampersand from the external variable, but that's a bit hackish. The expression is exact.
How to proceed in a secure way?