问题
i was wondering just like in conventional RDMS there is SQL injection so in PHP we use PDO for injection prevention but what do we use to prevent injection in Neo4j. I'm using neo4j RST api via jquery and via neo4jphp module.. So any suggestion guys.
Thanks In Advance..
回答1:
One of the values of using web services is decoupling the client from the implementation of the service. In your case, this means that REST abstracts away the details of the Cypher queries Neo4jPHP makes on your behalf. So the responsibility for preventing injection falls on Neo4jPHP. That's an implementation detail. You shouldn't be able to tinker with that even if you want to.
The situation is different if you were making Cypher queries yourself. Then you would use parameters like this:
query = "START n=node(*) WHERE n={search} RETURN n"
db.query query, {search: "userProvidedValue"}
I suggest you write to the Neo4jPHP forums to ensure they have indeed taken those precautions by writing parameterized Cypher queries. Or look at the source and verify for yourself.
回答2:
Neo4jPHP JSON encodes all values sent to the Neo4j server. Cypher queries are sent with a hash of parameter values. Just like with SQL, you shouldn't build your Cypher queries directly from user input. Instead, use Cypher queries with parameters, which the Neo4j server will correctly handle.
Neo4jphp docs here: https://github.com/jadell/neo4jphp/wiki/Cypher-and-gremlin-queries#executing-a-cypher-query
Neo4j REST docs here: http://docs.neo4j.org/chunked/stable/rest-api-cypher.html#rest-api-use-parameters
来源:https://stackoverflow.com/questions/21265278/neo4j-db-injection-protection