问题
I was wondering if there is a concern for query injection when I query over REST?
Parameterizing the query definitely makes things more cleaner but I was also able to query with string concatenation to manipulate properties and labels.
I find the latter approach being more flexible because at times I can't query the way I want it following the paradigm of parameters. (Can I parameterize labels and properties on CREATE or SET? (REST and transaction))
If there is no worries of some sort of injection is it a security risk to concat query strings? I personally do not have too deep of an understanding in querying Neo4j so I want to have my options open and willing to try any suggestions.
EDIT: After reading Wes's comment. I'd like to ask the viewers to quickly glance at the posted link. What about those situations where I want to use Where and Set ? What would be the best way to parameterize?
Thank you!
回答1:
Here's a hypothetical situation, given that someone knows your query. If you take user input and concatenate it into a query, this might happen:
"MATCH (u:User) WHERE u.id = " + userId + " RETURN u"
Let's try a userId of:
"1 WITH count(1) AS dummy MATCH (u:User) OPTIONAL MATCH (u)-[r]-() DELETE u, r "
I'm sure some people could come up with worse examples...
This is instantly resolved with parameters. You can sanitize inputs as well, but I'd take the safe way if possible.
来源:https://stackoverflow.com/questions/24316583/injection-concerns-for-cypher-over-rest