2

I'm using PHP and neoxygen/neo4j-neoclient to build a graph database and looking for a way to escape strings so that I can quote them safely into Cypher queries. I'm aware of the documentation on Cypher expressions but I was wondering if perhaps somebody already wrote such an escape function in PHP (or perhaps other languages so that I can port it to PHP)? Perhaps I could get away with using PHP escape functions which already exist for let's say MySQL?

EDIT: So finally, in case anyone is looking for a way to pass parameters with sendCypherQueries here's an example:

$parameters = array(
    'key'=>'example',
);

$client->sendCypherQuery("MERGE (node {key:{key}})", $paramteres);

This equals to a Cypher query:

MERGE (node {key:'example'})
Marcin Wasilewski
  • 685
  • 1
  • 10
  • 26

2 Answers2

2

What you describe as potential "injection" is possible for all variables that you do not pass as parameters.

So for Cypher and NeoClient, be sure to ALWAYS pass your variables as second argument of the sendCypherQuery method.

As a side note, in PHP, mysql_real_escape_string is obsolete since PHP5.5.0, so more than two years ago. This is why you would use PDO for eg and pass variables also as query parameters.

Christophe Willemsen
  • 19,399
  • 2
  • 29
  • 36
  • Thanks! I see. I didn't know it's obsolete, indeed I've always used PDO myself. Anyway, I guess I should have turned autocompletion on because I wasn't aware that sendCypherQuery accepts additional parameters. This isn't documented very well on your GitHub page. Could you please give me a hint how to map these parameters inside the query? – Marcin Wasilewski Jul 17 '15 at 01:48
  • On this page, you have links to 3 articles that I wrote on sitepoint with lot of examples using the client http://neo4j.com/developer/php/ – Christophe Willemsen Jul 17 '15 at 07:33
1

{key} syntax is obsolete. Use $key instead:

$client->sendCypherQuery('MERGE (node { key: $key })', [ 'key' => 'example' ]);
Dima L.
  • 3,443
  • 33
  • 30