[basex-talk] XQuery injection and auto-increment

Christian Grün christian.gruen at gmail.com
Mon May 10 10:53:51 CEST 2010


Dear Kim,

> I'm planning to use BaseX as the database behind a web service. While
> implementing this web service, I ran into these issues:
> 1) Is there a way to have an auto-incremented attribute added on every
> insert of a certain element type?

You might specify the attribute counter within your XML file/database
and increment it every time when you insert an element. A simple
example:

input.xml:
  <root count="0"/>

insert.xq:
  let $root := doc('input.xml')/root
  let $count := $root/@count
  return (
    insert node <node id='{ $count }'/> into $root,
    replace value of node $count with $count + 1
  )


> 2) How do I avoid XQuery injection? Currently I just use a whitelist of
> characters that are allowed in user input. But what if I want users to be
> able to input special characters? How would I escape them in my queries? Did
> I overlook something in the API?

XQuery supports the full unicode range. Special XML characters (such
as <, >, &, ", and ') need to encoded as entities; see e.g.
http://en.wikipedia.org/wiki/List_of_XML_and_HTML_character_entity_references.

Hope this helps,
Christian
___________________________

Christian Gruen
Universitaet Konstanz
Department of Computer & Information Science
D-78457 Konstanz, Germany
Tel: +49 (0)7531/88-4449, Fax: +49 (0)7531/88-3577
http://www.inf.uni-konstanz.de/~gruen



More information about the BaseX-Talk mailing list