Parameters will help as they are not substituted as strings but during
execution used as values in those expressions.
qry = " .... WHERE n.name= {usrName} ...."
On Mon, Apr 21, 2014 at 11:17 PM, ryan <[email protected]> wrote:
> I have the same situation here where I am wanting to protect against SQL
> injection attacks. I see this post is from 2012 so my first question is:
> has the answer for the main question changed since 2012?
>
> My next question (assuming answer to above is no) is I don't understand
> how this helps. I am sure it's just me needing a better understanding of
> parameters. If I have a query like this:
>
> qry = ... + "WHERE n.name='" + usrName + "'"
>
> and if userName = ' OR '1'=='1
>
> I don't see how putting that in a parameter will help. Does the parameter
> do something special vs. a non-parameterized query?
>
> On Sunday, June 17, 2012 8:06:44 AM UTC-6, Yaron Naveh wrote:
>>
>> I've seen some posts on the matter but could not find anything conclusive.
>>
>> I'm building a cypher query using user defined string:
>>
>> qry = ... + "WHERE n.name='" + request["filter"] + "'"
>>
>> how can I protect against "sql injection"? for example the filter could
>> be ' OR '1'=='1
>>
>> Is it enough to prefix all quotes with a backslash? Should I ban on some
>> words to appear in the user string? The best would be to get a
>> "parametwrized query" like syntax so the server would take care of this.
>>
> --
> You received this message because you are subscribed to the Google Groups
> "Neo4j" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
>
--
You received this message because you are subscribed to the Google Groups
"Neo4j" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
