dotNetRDF API Documentation

SparqlParameterizedString Class

A SPARQL Parameterized String is a String that can contain parameters in the same fashion as a SQL command string

For a list of all members of this type, see SparqlParameterizedString Members .


public class SparqlParameterizedString


This is intended for use in applications which may want to dynamically build SPARQL queries/updates where user input may comprise individual values in the triples patterns and the applications want to avoid SPARQL injection attacks which change the meaning of the query/update

It works broadly in the same way as a SqlCommand would in that you specify a string with paramters specified in the form @name and then use various set methods to set the actual values that should be used. The values are only substituted for parameters when you actually call the ToString() method to get the final string representation of the command. E.g.

SparqlParameterizedString queryString = new SparqlParameterizedString();
queryString.CommandText = @"SELECT * WHERE
    ?s a @type .
queryString.SetUri("type", new Uri(""));

Would result in the following being printed to the Console:

    ?s a <>

Calling a Set method to set a parameter that has already been set changes that value and the new value will be used next time you call ToString() - this may be useful if you plan to execute a series of queries/updates using a series of values since you need not instantiate a completely new parameterized string each time

This class was added to a library based on a suggestion by Alexander Sidorov and ideas from slides from Slideshare by Almedia et al

PERFORMANCE TIPS: if building the command text incrementaly, avoid using CommandText += and use the AppendSubQuery or Append methods instead


Namespace: VDS.RDF.Query

Assembly: dotNetRDF (in dotNetRDF.dll)

See Also

SparqlParameterizedString Members | VDS.RDF.Query Namespace