1. Graph Developer's Guide for Property Graph
  2. Getting Started with Oracle Property Graphs
  3. Property Graph Query Language (PGQL)
  4. Executing PGQL Queries Against the Graph Server (PGX)
  5. Security Tools for Executing PGQL Queries

6.8.9 Security Tools for Executing PGQL Queries

To safeguard against query injection, bind variables can be used in place of literals while printIdentifier(String identifier) can be used in place of identifiers like graph names, labels, and property names.

  • Using Bind Variables
    There are two reasons for using bind variables:
  • Using Identifiers in a Safe Manner
    When you create a query through string concatenation, not only literals in queries pose a security risk, but also identifiers like graph names, labels, and property names do. The only problem is that bind variables are not supported for such identifier. Therefore, if these identifiers are variable from the application's perspective, then it is recommended to protect against query injection by passing the identifier through the oracle.pgql.lang.ir.PgqlUtils.printIdentifier(String identifier) method.

Parent topic: Executing PGQL Queries Against the Graph Server (PGX)