Avoiding cypher injects when using parameter maps

eric.flick · June 6, 2019, 10:08pm

I have a use case where I'm generating a dynamic query before eventually calling session.query(...) with it. I'm providing a parameter map to the function that has input that comes from the user. I figured this input would get automatically sanitized but it does not and I can't find anything in documentation that talks about sanitizing inputs for the parameter map.

I'm aware that there's a JDBC PreparedStatement class that will do such a thing...but that seems like a pretty weird solution. Does OGM provide a way to sanitize parameter maps passed to Neo4jSession.query?

Jiropole · June 13, 2019, 5:09am

I'd suggest using your Spring Hibernate/Jackson implementation along with model views (DTOs) to perform the necessary validation. If you then want to get it into map form to pass to cypher, the way I've done this is to define a map method on each DTO to get the map form of the sanitized data.

Topic		Replies	Views
How to sanitize inputs to prevent CYPHER injection? Drivers & Stacks migrated	3	180	November 7, 2022
Multiple request parameters which are not required Spring Data Neo4j & Neo4j-OGM	4	3063	September 19, 2019
How can we update existing map in sdn5 using cypher query Spring Data Neo4j & Neo4j-OGM	6	340	January 11, 2021
@Query with dynamic parameter not working Spring Data Neo4j & Neo4j-OGM	2	2679	August 5, 2019
Is searching/updating/creating nodes and relationship labels and parameters via string construction in n4j-bolt/py2neo unsafe? Python cypher	0	601	February 5, 2020

Avoiding cypher injects when using parameter maps

Related topics