{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 叼着烟拽天下 的问题《“Injection” concerns for Cypher over REST》','https://www.manongdao.com/q-858984.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I was wondering if there is a concern for query injection when I query over REST?
Parameterizing the query definitely makes things more cleaner but I was also able to query with string concatenation to manipulate properties and labels.
I find the latter approach being more flexible because at times I can't query the way I want it following the paradigm of parameters. (Can I parameterize labels and properties on CREATE or SET? (REST and transaction))
If there is no worries of some sort of injection is it a security risk to concat query strings? I personally do not have too deep of an understanding in querying Neo4j so I want to have my options open and willing to try any suggestions.
EDIT: After reading Wes's comment. I'd like to ask the viewers to quickly glance at the posted link. What about those situations where I want to use Where and Set ? What would be the best way to parameterize?
Thank you!
Here's a hypothetical situation, given that someone knows your query. If you take user input and concatenate it into a query, this might happen:
Let's try a userId of:
I'm sure some people could come up with worse examples...
This is instantly resolved with parameters. You can sanitize inputs as well, but I'd take the safe way if possible.