Tracker is a desktop search engine, metadata indexing and storage service. It is the recommended way to search for user files and access metadata about them. A full introduction to Tracker is here.

Summary

• Avoid SPARQL injection vulnerabilities by using prepared statements.

Using Tracker

Tracker is effectively a metadata store which applications can query using the SPARQL query language. SPARQL is similar to SQL, so all the same considerations about SQL injection apply when using it.

Describing how to use Tracker is beyond the scope of this document, however it has good documentation in its getting started guide and API documentation.

SPARQL injection

When using Tracker, queries must be constructed using prepared statements, otherwise arbitrary SPARQL could be provided by the user which would affect the query, potentially resulting in unauthorised user data disclosure. This would be an SQL injection vulnerability.

To build a SPARQL query, use TrackerSparqlBuilder, which prevents SPARQL injection vulnerabilities as long as its ‘raw’ APIs aren’t used. If its raw APIs are used, be very careful to escape all external input to the query using tracker_sparql_escape_string() before including it in the query.

External links

• Tracker home page
• Introduction to Tracker
• SPARQL query language
• Tracker getting started guide
• Tracker API documentation