I was wondering if there is a concern for query injection when I query over REST?

Parameterizing the query definitely makes things more cleaner but I was also able to query with string concatenation to manipulate properties and labels.

I find the latter approach being more flexible because at times I can't query the way I want it following the paradigm of parameters. (Can I parameterize labels and properties on CREATE or SET? (REST and transaction))

If there is no worries of some sort of injection is it a security risk to concat query strings? I personally do not have too deep of an understanding in querying Neo4j so I want to have my options open and willing to try any suggestions.

EDIT: After reading Wes's comment. I'd like to ask the viewers to quickly glance at the posted link. What about those situations where I want to use Where and Set ? What would be the best way to parameterize?

Thank you!

Here's a hypothetical situation, given that someone knows your query. If you take user input and concatenate it into a query, this might happen:

"MATCH (u:User) WHERE u.id = " + userId + " RETURN u"

Let's try a userId of:

"1 WITH count(1) AS dummy MATCH (u:User) OPTIONAL MATCH (u)-[r]-() DELETE u, r "

I'm sure some people could come up with worse examples...

This is instantly resolved with parameters. You can sanitize inputs as well, but I'd take the safe way if possible.