This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Head's Up! These forums are read-only. All users and content have migrated. Please join us at community.neo4j.com.

Using variable for property name - is SQL Injection possible?

Go to solution
suzy_trowbridge
Node

‎12-28-2021 07:52 AM

Currently on ogm but we're planning to move to sdn. I'm passing a param from the frontend to the db to determine the property ex.

//passing in FE param as enum type then converting enum type to string to use in db cypher call
param='email' 

MATCH (p:Person)
WHERE p[$param] = "email@google.com"
RETURN p

Is it possible for a sql injection or other security risk to occur?

Labels:
0 Kudos
Reply
1 ACCEPTED SOLUTION

Go to solution
suzy_trowbridge
Node

‎01-04-2022 08:02 AM

Looks like using params will prevent cypher injections yay > Protecting against Cypher injection - Knowledge Base

View solution in original post

0 Kudos
Reply
1 REPLY 1

Go to solution
suzy_trowbridge
Node

‎01-04-2022 08:02 AM

Looks like using params will prevent cypher injections yay > Protecting against Cypher injection - Knowledge Base

0 Kudos
Reply
Nodes 2022
Nodes
NODES 2022, Neo4j Online Education Summit

All the sessions of the conference are now available online

Watch replays