“注射"指的是“注射". Cypher对REST的担忧 [英] "Injection" concerns for Cypher over REST

问题描述

我想知道在通过REST查询时是否存在查询注入问题?

I was wondering if there is a concern for query injection when I query over REST?

参数化查询无疑使事情变得更加整洁，但我还能够使用字符串串联查询来操纵属性和标签.

Parameterizing the query definitely makes things more cleaner but I was also able to query with string concatenation to manipulate properties and labels.

我发现后一种方法更加灵活，因为有时我无法按照参数范式查询自己想要的方式. (我可以参数化标签和CREATE或SET?上的属性(REST和事务))

I find the latter approach being more flexible because at times I can't query the way I want it following the paradigm of parameters. (Can I parameterize labels and properties on CREATE or SET? (REST and transaction))

如果不担心某种注入，那么连接查询字符串是否存在安全风险?我个人在查询Neo4j时并没有太深的理解，所以我想开放自己的选择，并愿意尝试任何建议.

If there is no worries of some sort of injection is it a security risk to concat query strings? I personally do not have too deep of an understanding in querying Neo4j so I want to have my options open and willing to try any suggestions.

阅读Wes的评论后.我想请观众快速浏览一下发布的链接.在那些我想使用Where和Set的情况下呢?最好的参数化方法是什么?

After reading Wes's comment. I'd like to ask the viewers to quickly glance at the posted link. What about those situations where I want to use Where and Set ? What would be the best way to parameterize?

谢谢！

推荐答案

在这种情况下，假设有人知道您的查询.如果您接受用户输入并将其连接到查询中，则可能会发生这种情况:

Here's a hypothetical situation, given that someone knows your query. If you take user input and concatenate it into a query, this might happen:

"MATCH (u:User) WHERE u.id = " + userId + " RETURN u"

让我们尝试以下用户ID:

Let's try a userId of:

"1 WITH count(1) AS dummy MATCH (u:User) OPTIONAL MATCH (u)-[r]-() DELETE u, r "

我确定有些人会提出更糟糕的例子...

I'm sure some people could come up with worse examples...

这可以通过参数立即解决.您也可以清除输入内容，但如果可能的话，我会采取安全的方法.

This is instantly resolved with parameters. You can sanitize inputs as well, but I'd take the safe way if possible.

这篇关于“注射"指的是“注射". Cypher对REST的担忧的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！