SQL Query Parameters and SQL injection

I am attempting to create a re-usable subgraph for retrieving a database value based on a query parameter passed in. For scalability reasons, it is not reasonable to read the whole table and then filter in CloverDX.
The only way I have been able to figure out how to pass a parameter to SQL is when it is a parameter of the graph itself. Unfortunately, that parameter replacement is just a String variable replacement in the query, leading to potential SQL injection attacks.

In the documentation for DatabaseReader, I see there are question marks in the " Query statement with mapping" section which leads me to believe there is some other way of specifying String query parameters to a Prepared Statement without risking injection.

Any guidance is greatly appreciated,

Hi Mark,
The DatabaseReader component allows the SQL query be read from input port instead of specified as one of parameters.
If you choose this way then you can do whatever pre-processing including checking for SQl injection before sending the query to the component and thus to database.

See: DatabaseReader | CloverDX 7.0.0 Documentation section which shows how to read the query from input port.

Hope this solves it.

David