Improving Query Safety & Parameterization Across IYP Browser / Neo4J Browser / Bolt Clients

[ayushman1210]

Hi everyone,
During a review of the fetchConnectedNodes function in the IYP Browser, I noticed that user-controlled input (like nodeId) is directly interpolated into Cypher queries. While Neo4j doesn’t allow SQL-style injection, direct interpolation can still introduce issues such as:

• malformed queries due to invalid elementId strings
• inconsistent UI behavior
• unexpected client-side errors
• unnecessary query failures

This pattern exists across multiple parts of the app (IYP Browser, Neo4J Browser, Bolt sessions), so it’s clearly a broader architectural topic — not specific to a single component.

Since @dpgiakatos confirmed that this is handled at the database level (timeouts, read-only mode), I wanted to open a discussion about whether the project would prefer:

• migrating toward parameterized queries ($id instead of string interpolation)
• adding lightweight input validation for elementId values
• keeping the current approach because the DB protections are sufficient

This conversation started from an investigation in this issue
(linking here for reference): [https://github.com/InternetHealthReport/iyp-browser/issues/13]

I’d be happy to help contribute once the maintainers settle on the preferred direction.
Looking forward to hearing your thoughts!

[ayushman1210]

Hi @dpgiakatos, just a small follow-up on this discussion.
Whenever you get a chance, could you share your thoughts on the parameterized-query direction? No rush — I just want to make sure I’m aligned before contributing anything.
Thanks!!

[dpgiakatos]

For "Neo4J Browser and Bolt sessions" it is better to discuss this topic with Neo4J people.