I have the same situation here where I am wanting to protect against SQL injection attacks. I see this post is from 2012 so my first question is: has the answer for the main question changed since 2012?
My next question (assuming answer to above is no) is I don't understand how this helps. I am sure it's just me needing a better understanding of parameters. If I have a query like this: qry = ... + "WHERE n.name='" + usrName + "'" and if userName = ' OR '1'=='1 I don't see how putting that in a parameter will help. Does the parameter do something special vs. a non-parameterized query? On Sunday, June 17, 2012 8:06:44 AM UTC-6, Yaron Naveh wrote: > > I've seen some posts on the matter but could not find anything conclusive. > > I'm building a cypher query using user defined string: > > qry = ... + "WHERE n.name='" + request["filter"] + "'" > > how can I protect against "sql injection"? for example the filter could be > ' OR '1'=='1 > > Is it enough to prefix all quotes with a backslash? Should I ban on some > words to appear in the user string? The best would be to get a > "parametwrized query" like syntax so the server would take care of this. > -- You received this message because you are subscribed to the Google Groups "Neo4j" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
