1

I am looking for a way in which the query can be prepared and be fired on the remote server. I know that is is feasible in Stardog and GraphDB using rdf4j in Java. But how can that be done using python for Blazegraph? I have tried looking at Sparqlwrapper and rdflib. rdflib supports prepared statement but it can only be used for file parsing and I havent find much documentation of the same as a driver as is the case of rdf4j. SparqlWrapper enables the use of remote repository querying but doesnt have examples of prepared statements and I am in need of both.

I have looked at this SPARQL query on the remote remote endpoint RDFLib / Redland but this seems to be outdated (8 years old)

Requirement is to build a microservice over blazegraph to execute user specific input at run time. In case prepared statements are not being used, string concatenation will make it vulnerable to security threats and boilerplate codes.

user1996684
  • 265
  • 1
  • 3
  • 8
  • why do you need this for SPARQLWrapper? It's just a plain query string that is sent via HTTP protocol. `setQuery()` doesn't do any algebra transformation or the like, so you can use a plain Python string as template and modify it, via string modification. – UninformedUser May 31 '19 at 13:08
  • `var queryTemplate = "select * where {?s a {}}"` and then call e.g. `queryTemplate.format("ex:Class")` or whatever – UninformedUser May 31 '19 at 13:10
  • here is the [reference](https://rdflib.github.io/sparqlwrapper/doc/latest/SPARQLWrapper.Wrapper.SPARQLWrapper-class.html#setQuery): *"**setQuery(self, query)**:Set the SPARQL query text. Note: no check is done on the validity of the query (syntax or otherwise) by this module, except for testing the query type (SELECT, ASK, etc). Syntax and validity checking is done by the SPARQL service itself."* – UninformedUser May 31 '19 at 13:19
  • Thanks but this will lead to string concatenation, which will make it vulnerable to security threats and boilerplate codes while we need a microservice to be built with user inputs. I have modified the question for the same. – user1996684 Jun 03 '19 at 05:19
  • `rdflib` has some store implementation around a SPARQL service, called `SPARQLStore` - but, it doesn't work with prepared queries. Moreover, if you check the source code of the in-memory variant, the prepared queries allow for providing bindings which are just handled via a dictionary lookup in a query context during evaluation of the SPARQL query. Thee is no other check done. For the remote bindings are injected into the query via SPARQL 1.1 `VALUES` feature, see the relevant code [here](https://github.com/RDFLib/rdflib/blob/master/rdflib/plugins/stores/sparqlstore.py#L175-L184). – UninformedUser Jun 03 '19 at 08:41
  • 1
    I mean, what you could do is parse the query to validate the query string and convert it back to a string. In addition, you could reuse e.g. code from Apache Jena API to check the values: [click](https://github.com/galbiston/jena/blob/master/jena-arq/src/main/java/org/apache/jena/query/ParameterizedSparqlString.java#L1237-L1266) - it's just ~20 LOC, and maybe you could contribute this to the `rdflib` project. – UninformedUser Jun 03 '19 at 08:44
  • 1
    Of course, a better answer you will likely get if you ask the devs, maye via email or Github issues: https://github.com/RDFLib/rdflib/issues - could also be a feature request (if it doesn't already exist somewhere ...), they're working on version 5.0 currently – UninformedUser Jun 03 '19 at 08:45
  • Thanks :) I will check with the SPARQLStore and if its still not solving I will do a feature request – user1996684 Jun 03 '19 at 09:41
  • 1
    It does not work with prepared queries, I already said this and showed you the part of the code in my previous comments: https://github.com/RDFLib/rdflib/blob/master/rdflib/plugins/stores/sparqlstore.py#L175-L184 - it checks for querying being of type `str` which is indeed not the case after parsing to a `Query` object – UninformedUser Jun 03 '19 at 11:49

0 Answers0