Skip to content

bad habits

Jump to bottom Edit New page
Charlotte Skardon edited this page Feb 7, 2023 · 4 revisions

Context

This page shows examples of code that we've seen on projects which use Neo4jClient, but which could be written better.

Using string.Format (or string interpolation) for parameters

This code is very unsafe:

.Where(string.Format("x.EmailAddress = '{0}'", email))

or

.Where($"x.EmailAddress = '{email}'")

It's open to Cypher-injection risks and encoding problems.

It's also very slow because it forces the query plan to be recompiled on every request, because the query text varies for each request.

Use a named parameter instead:

.Where("x.EmailAddress = $email")
.WithParams(new { email })

Or, for simple scenarios like this, use the lambda syntax:

.Where((User x) => x.EmailAddress == email)

This syntax automatically generates parameters.

Information

  • Nuget
  • Licensed under MS-PL. See LICENSE in the root of this repository for full license text.

Need Help?

Client

Querying

Clone this wiki locally