- Avoid SPARQL injection vulnerabilities by using prepared statements. (#SPARQL injection)
When using Tracker, queries must be constructed using its prepared statements, otherwise arbitrary SPARQL could be provided by the user which would affect the query, potentially resulting in unauthorised user data disclosure. This would be an SQL injection vulnerability.
To build a SPARQL query, use
TrackerSparqlBuilder, which prevents SPARQL injection vulnerabilities as long as its ‘raw’ APIs aren’t used. If its raw APIs are used, be very careful to escape all external input to the query using
tracker_sparql_escape_string() before including it in the query.