使用arangojs将参数传递给db.query [英] Passing parameters to db.query with arangojs
问题描述
我在使用ArangoJS库发送参数时遇到问题,想知道是否有人可以提供帮助.
I'm having problems sending parameters with the ArangoJS library and was wondering if anyone could help.
在下面的示例中,如果参数值在查询中,则可以执行db.query,但是当我尝试使用bindVars时,我得到了无提示错误,并且无法提取任何错误详细信息.
With the example below, it is possible to execute db.query if parameter values are in the query, but as soon as I try to use bindVars I get silent errors and I can't extract any error details.
var db = require('arangojs')("http://127.0.0.1:8529");
/*
The '_system' database contains a collection called 'test' that contains one document:
{
"a": 1,
"b": 2
}
*/
// This works
db.query('FOR t IN test FILTER t.a == 1 RETURN t')
.then((cursor) => {
cursor.all()
.then(vals => {
console.log("\nNo bindVars");
console.log(vals);
});
});
// This does not work
db.query("FOR t IN @first FILTER t.a == @second RETURN t", { first: "test", second: 1 })
.then((cursor) => {
cursor.all()
.then(vals => {
console.log("\nUsing bindVars");
console.log(vals);
});
});
我是Node.js和ArangoDB的新手,并且希望能够使用正确的参数化查询.
I'm new to Node.js and ArangoDB and would love to be able to use properly parameterized queries.
我还假设使用这种参数可以保护您免受SQL注入式攻击?
I'm also assuming that this use of parameters protects you from SQL Injection style attacks?
谢谢!
推荐答案
问题不在于JavaScript驱动程序或Node,问题在于查询本身:
The problem isn't with the JavaScript driver or Node, the problem is with the query itself:
FOR t IN @first FILTER t.a == @second RETURN t
在AQL集合中,不能使用普通绑定参数注入名称.这是因为您实际上并不是在尝试将参数用作字符串值,而是引用具有该名称的集合.引用 AQL文档:
In AQL collection names can't be injected with ordinary bind parameters. This is because you're not actually trying to use the parameter as a string value but to refer to a collection with that name. To quote the AQL documentation:
存在一种特殊类型的绑定参数,用于注入集合名称.这种类型的bind参数的名称前面带有一个@符号(因此,在查询中使用bind参数时,必须使用两个@符号).
A special type of bind parameter exists for injecting collection names. This type of bind parameter has a name prefixed with an additional @ symbol (thus when using the bind parameter in a query, two @ symbols must be used).
换句话说,在AQL中必须将其称为@@first(而不是@first),并且在db.query的绑定参数参数中,必须将其称为@first(而不是仅仅first)
In other words, in AQL it has to be called @@first (instead of @first) and in the bind parameters argument to db.query it has to be called @first (instead of just first).
使用arangojs时,实际上有可能通过使用 aqlQuery模板处理程序完全避免这种情况 :
When using arangojs it's actually possible to avoid this entirely by using the aqlQuery template handler:
var aqlQuery = require('arangojs').aqlQuery;
var first = db.collection('test');
var second = 1;
db.query(aqlQuery`
FOR t IN ${first}
FILTER t.a == ${second}
RETURN t
`).then(
cursor => cursor.all()
).then(vals => {
console.log('Using aqlQuery');
console.log(vals);
});
这样,您在编写查询时不必考虑绑定参数的语法,并且可以编写更复杂的查询而不必弄乱非常长的字符串.请注意,它将识别arangojs集合实例并进行相应处理.使用字符串而不是集合实例将导致与示例相同的问题.
This way you don't have to think about bind parameter syntax when writing queries and can write more complex queries without having to mess with extremely long strings. Note that it will recognize arangojs collection instances and handle them accordingly. Using a string instead of a collection instance would result in the same problems as in your example.
另外请注意,模板处理程序也存在于arangosh shell和ArangoDB本身中(例如,在使用Foxx时).
Additionally note that the template handler also exists in the arangosh shell and in ArangoDB itself (e.g. when using Foxx).
这篇关于使用arangojs将参数传递给db.query的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
