"sql injection" for cypher

[Yaron Naveh]

I've seen some posts on the matter but could not find anything conclusive.

I'm building a cypher query using user defined string:

qry = ... + "WHERE n.name='" + request["filter"] + "'"

how can I protect against "sql injection"? for example the filter could be ' OR '1'=='1

Is it enough to prefix all quotes with a backslash? Should I ban on some words to appear in the user string? The best would be to get a "parametwrized query" like syntax so the server would take care of this.

[Michael Hunger]

You should use parameters instead, 

http://docs.neo4j.org/chunked/snapshot/cypher-parameters.html

You can use them embedded and also remotely against the rest-endpoint:

http://docs.neo4j.org/chunked/snapshot/rest-api-cypher.html#rest-api-send-queries-with-parameters

Michael

[Yaron Naveh]

thanks

any idea how I can use a parameter to get a regex or "string contains" or "string like" semantics?

my original query is:

WHERE n.name =~ /.*value.*/

I'm not able to parameterize this. If not possible with regex, the other two options I mentioned are also good.

[Yaron Naveh]

got it, the query is

WHERE n.name =~ {name}

and parameter:

{name: ".*value.*"}

[Michael Hunger]

Exactly,

that should be in the docs, though. 

Michael

[ryan]

I have the same situation here where I am wanting to protect against SQL injection attacks.  I see this post is from 2012 so my first question is:  has the answer for the main question changed since 2012?

My next question (assuming answer to above is no) is I don't understand how this helps.  I am sure it's just me needing a better understanding of parameters.  If I have a query like this:

qry = ... + "WHERE n.name='" + usrName + "'"

and if userName = ' OR '1'=='1

I don't see how putting that in a parameter will help.  Does the parameter do something special vs. a non-parameterized query?

[Michael Hunger]

Parameters will help as they are not substituted as strings but during execution used as values in those expressions.

qry = " .... WHERE n.name= {usrName} ...."

--
You received this message because you are subscribed to the Google Groups "Neo4j" group.
To unsubscribe from this group and stop receiving emails from it, send an email to neo4j+un...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.