Can java dsl `Expression.s()` be considered as safe for passing user inputs?


I’m writing a simple search endpoint that relies on N1QL pattern matching features.

As I didn’t found the REGEXP_LIKE instruction in the DSL (did I miss it ?), I had to go with a Expression.x which I assume to be unsafe.

What I did is wrapping user inputs in a Expression.s in order to protect from injections.

Can I be confident enough with this approach or should I be concerned ?


private static Expression userLastNameMatches(RegexpSearchQueryTerm term) {
        return Expression.x(
            "REGEXP_LIKE(" +
                "lastname, " +
                + ")"

Hi Anton,

You are right to be concerned; Expression.s does not protect from injection.

The safe way would be to use a parameterized query with the user input as a parameter.


Alright, fixed, thanks David!