How to do neo4j parameter safe for Ruby on Rails?

Question

For example, the sentence is "I'm playing football"

The parameter needs to be "I\\'m playing football" with single quote to neo4j architecture...

I tried variable.html_safe but unfortunatelly, it doesn't work.

Runtime information:

Neo4j database version: neo4j 3.3.1

neo4j gem version: 9.0.7

neo4j-core gem version: 8.1.0

Answer 1

For references, this was answered on an issue in the neo4j repo. Copy/pasting here:

There are a few things you could do. The first thing that I would say is that you should never (or at least very rarely) inject data directly into a query string. It can be:

• Buggy if you have inappropriate escaping of strings
• Slow because Neo4j can't optimize a query plan when the query string changes each time
• Unsecure if this data is coming from a user because they could produce Cypher injection attacks

Ideally sqlParametre should be an array so that you can do this:

tablo = Word.query_as(:w).where('w.ad IN {ads}').params(ads: sqlParametre)
# or as a shortcut:
tablo = Word.query_as(:w).where('w.ad IN ?', sqlParametre)

But since you have an ActiveNode model you can also work at a higher level and replace lines 89 and 91 with this:

kayitSayisi = Word.as(:w).where(ad: sqlParametre).pluck('SUM(w)').first

Note for that last line that if sqlParametre is an array, the neo4j gem automatically detects that and creates the Cypher syntax WHERE w.ad IN {param} instead of WHERE w.ad = {param}