With the REST API, you'll be fine. The passed on value will be bound as string, and the original query won't be modified.
Hi Christian,
I'm using the GET method from the Basex Rest API. Up until now I simply removed ampersands from a query, just to be safe.
Laurent
------- Original Message -------
On Sunday, June 26th, 2022 at 7:02 PM, Christian GrĂ¼n <christian.gruen@gmail.com> wrote:
> Hi trichel,
> Which API are you using to bind the external variables to your query before evaluating it?
>
> Best,
> Christian
>
>
>
> trichel <trichel@protonmail.com> schrieb am So., 26. Juni 2022, 18:58:
>
> > Hello,
> >
> > How to write secure queries when the queried text nodes contain ampersands? For instance:
> >
> >
> > declare variable $publisher external; (: $pub == 'Faber & Faber' :)
> > declare variable $db := db:open('db');
> >
> > let $records := $db/record/publisher[. = $publisher] (: publisher == 'Faber & Faber' :)
> >
> >
> > The external variable is unsafe input, escaped by the sending application.
> > Escaping the ampersand in the external variable with & (& a m p ;) doesn't work, Basex stops finding hits. Just letting the ampersand pass might expose the code to injection attacks? I could switch to a full-text query and remove the ampersand from the external variable, but that's a bit hackish. The expression is exact.
> >
> > How to proceed in a secure way?