6.9.4.3.2 Verifying PGQL Identifiers
For some parts of a PGQL query the parser does not allow use of bind variables. In such cases, the input can be verified using the printIdentifier
method in package oracle.pgql.lang.ir.PgqlUtils
.
Consider the following query execution that concatenates the graph against which the graph pattern will be matched:
stmt.executeQuery("SELECT n.name FROM MATCH (n) ON " + graphName, "");
In order to avoid injection, the identifier graphName
should be verified as follows:
stmt.executeQuery("SELECT n.name FROM MATCH (n) ON " + PgqlUtils.printIdentifier(graphName), "");
Parent topic: Security Techniques for PGQL Queries