Request: guidance on parameterized queries

florinpatrascu / bolt_sips

Neo4j driver for Elixir

Apache License 2.0

256 stars 49 forks source link

Request: guidance on parameterized queries #90

Closed taobojlen closed 4 years ago

taobojlen commented 4 years ago

Cypher supports parameterized queries to help mitigate the risk of injection attacks.

It looks like Bolt.Sips.query/2 only takes a connection and a string, and (as far as I can tell) none of the examples in this repo use parameterized queries. Does bolt_sips support these? If so, how do we use them without resorting to string building?

florinpatrascu commented 4 years ago

What about query/4? One of the tests we have, for brevity:

  test "run simple statement with complex params", context do
    conn = context[:conn]

    row =
      Bolt.Sips.query!(conn, "RETURN {x} AS n", %{x: %{abc: ["d", "e", "f"]}})
      |> Response.first()

    assert row["n"]["abc"] == ["d", "e", "f"]
  end

taobojlen commented 4 years ago

Oh, my bad! I was searching for "parameter", so "params" didn't show up... Oops!

Thanks a lot for the fast reply :)

florinpatrascu commented 4 years ago

No worries :)

dominique-vassard commented 4 years ago

@tao-oat Keep in mind that due to deprecation Neo4j v4, it's better to use $param instead of {param}.