Using variable for property name - is SQL Injection possible?

suzy.trowbridge · December 28, 2021, 3:52pm

Currently on ogm but we're planning to move to sdn. I'm passing a param from the frontend to the db to determine the property ex.

//passing in FE param as enum type then converting enum type to string to use in db cypher call
param='email' 

MATCH (p:Person)
WHERE p[$param] = "email@google.com"
RETURN p

Is it possible for a sql injection or other security risk to occur?

suzy.trowbridge · January 4, 2022, 4:02pm

Looks like using params will prevent cypher injections yay > Protecting against Cypher injection - Knowledge Base

Topic		Replies	Views
Can I use variable for property name in driver cypher query? General	6	1693	October 23, 2020
Preventing SQL injection when using neo4j full text search Cypher cypher	1	2717	February 4, 2020
How to sanitize inputs to prevent CYPHER injection? Drivers & Stacks migrated	3	175	November 7, 2022
Code injection vulnerability Cypher cypher , security	4	788	October 1, 2021
Neo4j Security General	4	1355	January 10, 2022

Using variable for property name - is SQL Injection possible?

Related topics