1. Graph Developer's Guide for Property Graph
  2. Getting Started with Oracle Property Graphs
  3. Property Graph Query Language (PGQL)
  4. Executing PGQL Queries Directly Against Oracle Database
  5. Executing PGQL Queries Against Property Graph Schema Tables
  6. Using the oracle.pg.rdbms.pgql Java Package to Execute PGQL Queries
  7. Security Techniques for PGQL Queries
  8. Verifying PGQL Identifiers

6.9.1.4.3.2 Verifying PGQL Identifiers

For some parts of a PGQL query the parser does not allow use of bind variables. In such cases, the input can be verified using the printIdentifier method in package oracle.pgql.lang.ir.PgqlUtils.

Consider the following query execution that concatenates the graph against which the graph pattern will be matched:

stmt.executeQuery("SELECT n.name FROM MATCH (n) ON " + graphName, "");

In order to avoid injection, the identifier graphName should be verified as follows: 

stmt.executeQuery("SELECT n.name FROM MATCH (n) ON " + PgqlUtils.printIdentifier(graphName), "");

Parent topic: Security Techniques for PGQL Queries