[basex-talk] XQuery injection and auto-increment
Christian Grün
christian.gruen at gmail.com
Mon May 10 10:53:51 CEST 2010
Dear Kim,
> I'm planning to use BaseX as the database behind a web service. While
> implementing this web service, I ran into these issues:
> 1) Is there a way to have an auto-incremented attribute added on every
> insert of a certain element type?
You might specify the attribute counter within your XML file/database
and increment it every time when you insert an element. A simple
example:
input.xml:
<root count="0"/>
insert.xq:
let $root := doc('input.xml')/root
let $count := $root/@count
return (
insert node <node id='{ $count }'/> into $root,
replace value of node $count with $count + 1
)
> 2) How do I avoid XQuery injection? Currently I just use a whitelist of
> characters that are allowed in user input. But what if I want users to be
> able to input special characters? How would I escape them in my queries? Did
> I overlook something in the API?
XQuery supports the full unicode range. Special XML characters (such
as <, >, &, ", and ') need to encoded as entities; see e.g.
http://en.wikipedia.org/wiki/List_of_XML_and_HTML_character_entity_references.
Hope this helps,
Christian
___________________________
Christian Gruen
Universitaet Konstanz
Department of Computer & Information Science
D-78457 Konstanz, Germany
Tel: +49 (0)7531/88-4449, Fax: +49 (0)7531/88-3577
http://www.inf.uni-konstanz.de/~gruen
More information about the BaseX-Talk
mailing list