26 Jun
2022
26 Jun
'22
6:58 p.m.
Hello, How to write secure queries when the queried text nodes contain ampersands? For instance: declare variable $publisher external; (: $pub == 'Faber & Faber' :) declare variable $db := db:open('db'); let $records := $db/record/publisher[. = $publisher] (: publisher == 'Faber & Faber' :) The external variable is unsafe input, escaped by the sending application. Escaping the ampersand in the external variable with & (& a m p ;) doesn't work, Basex stops finding hits. Just letting the ampersand pass might expose the code to injection attacks? I could switch to a full-text query and remove the ampersand from the external variable, but that's a bit hackish. The expression is exact. How to proceed in a secure way?