“注射"Cypher 对 REST 的担忧 [英] "Injection" concerns for Cypher over REST

问题描述

我想知道当我通过 REST 查询时是否存在查询注入的问题?

I was wondering if there is a concern for query injection when I query over REST?

参数化查询肯定会让事情变得更清晰，但我也能够使用字符串连接进行查询以操作属性和标签.

Parameterizing the query definitely makes things more cleaner but I was also able to query with string concatenation to manipulate properties and labels.

我发现后一种方法更灵活，因为有时我无法按照参数范式查询我想要的方式.(我可以参数化标签和CREATE 或 SET 上的属性?(REST 和事务))

I find the latter approach being more flexible because at times I can't query the way I want it following the paradigm of parameters. (Can I parameterize labels and properties on CREATE or SET? (REST and transaction))

如果不用担心某种注入，连接查询字符串是否存在安全风险?我个人对查询 Neo4j 没有太深的理解，所以我希望有我的选择并愿意尝试任何建议.

If there is no worries of some sort of injection is it a security risk to concat query strings? I personally do not have too deep of an understanding in querying Neo4j so I want to have my options open and willing to try any suggestions.

阅读 Wes 的评论后.我想请观众快速浏览一下发布的链接.那些我想使用 Where 和 Set 的情况呢?参数化的最佳方法是什么?

After reading Wes's comment. I'd like to ask the viewers to quickly glance at the posted link. What about those situations where I want to use Where and Set ? What would be the best way to parameterize?

谢谢！

推荐答案

这是一个假设的情况，假设有人知道您的查询.如果您获取用户输入并将其连接到查询中，则可能会发生这种情况:

Here's a hypothetical situation, given that someone knows your query. If you take user input and concatenate it into a query, this might happen:

"MATCH (u:User) WHERE u.id = " + userId + " RETURN u"

让我们尝试一个用户 ID:

Let's try a userId of:

"1 WITH count(1) AS dummy MATCH (u:User) OPTIONAL MATCH (u)-[r]-() DELETE u, r "

我相信有些人会想出更糟糕的例子......

I'm sure some people could come up with worse examples...

这可以通过参数立即解决.您也可以清理输入，但如果可能，我会采取安全的方式.

This is instantly resolved with parameters. You can sanitize inputs as well, but I'd take the safe way if possible.

这篇关于“注射"Cypher 对 REST 的担忧的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！