cancel
Showing results for 
Search instead for 
Did you mean: 

Using variable for property name - is SQL Injection possible?

Currently on ogm but we're planning to move to sdn. I'm passing a param from the frontend to the db to determine the property ex.

//passing in FE param as enum type then converting enum type to string to use in db cypher call
param='email' 

MATCH (p:Person)
WHERE p[$param] = "email@google.com"
RETURN p

Is it possible for a sql injection or other security risk to occur?

1 ACCEPTED SOLUTION

Looks like using params will prevent cypher injections yay > Protecting against Cypher injection - Knowledge Base

View solution in original post

1 REPLY 1

Looks like using params will prevent cypher injections yay > Protecting against Cypher injection - Knowledge Base