使用 arangojs 将参数传递给 db.query [英] Passing parameters to db.query with arangojs
问题描述
我在使用 ArangoJS 库发送参数时遇到问题,想知道是否有人可以提供帮助.
I'm having problems sending parameters with the ArangoJS library and was wondering if anyone could help.
在下面的示例中,如果参数值在查询中,则可以执行 db.query,但是一旦我尝试使用 bindVars,我就会收到无提示错误并且我无法提取任何错误详细信息.
With the example below, it is possible to execute db.query if parameter values are in the query, but as soon as I try to use bindVars I get silent errors and I can't extract any error details.
var db = require('arangojs')("http://127.0.0.1:8529");
/*
The '_system' database contains a collection called 'test' that contains one document:
{
"a": 1,
"b": 2
}
*/
// This works
db.query('FOR t IN test FILTER t.a == 1 RETURN t')
.then((cursor) => {
cursor.all()
.then(vals => {
console.log("\nNo bindVars");
console.log(vals);
});
});
// This does not work
db.query("FOR t IN @first FILTER t.a == @second RETURN t", { first: "test", second: 1 })
.then((cursor) => {
cursor.all()
.then(vals => {
console.log("\nUsing bindVars");
console.log(vals);
});
});
我是 Node.js 和 ArangoDB 的新手,希望能够使用正确的参数化查询.
I'm new to Node.js and ArangoDB and would love to be able to use properly parameterized queries.
我还假设这种参数的使用可以保护您免受 SQL 注入式攻击?
I'm also assuming that this use of parameters protects you from SQL Injection style attacks?
谢谢!
推荐答案
问题不在于 JavaScript 驱动程序或 Node,问题在于查询本身:
The problem isn't with the JavaScript driver or Node, the problem is with the query itself:
FOR t IN @first FILTER t.a == @second RETURN t
在 AQL 集合中,不能使用普通绑定参数注入名称.这是因为您实际上并不是在尝试将参数用作字符串值,而是要引用具有该名称的集合.引用 AQL 文档:
In AQL collection names can't be injected with ordinary bind parameters. This is because you're not actually trying to use the parameter as a string value but to refer to a collection with that name. To quote the AQL documentation:
存在一种特殊类型的绑定参数,用于注入集合名称.这种类型的绑定参数有一个以额外@ 符号为前缀的名称(因此在查询中使用绑定参数时,必须使用两个@ 符号).
A special type of bind parameter exists for injecting collection names. This type of bind parameter has a name prefixed with an additional @ symbol (thus when using the bind parameter in a query, two @ symbols must be used).
换句话说,在 AQL 中,它必须被称为 @@first(而不是 @first)并且在 db.query 的绑定参数参数中 它必须被称为 @first(而不仅仅是 first).
In other words, in AQL it has to be called @@first (instead of @first) and in the bind parameters argument to db.query it has to be called @first (instead of just first).
当使用 arangojs 时,实际上可以通过使用 aqlQuery 模板来完全避免这种情况处理程序:
When using arangojs it's actually possible to avoid this entirely by using the aqlQuery template handler:
var aqlQuery = require('arangojs').aqlQuery;
var first = db.collection('test');
var second = 1;
db.query(aqlQuery`
FOR t IN ${first}
FILTER t.a == ${second}
RETURN t
`).then(
cursor => cursor.all()
).then(vals => {
console.log('Using aqlQuery');
console.log(vals);
});
这样您在编写查询时就不必考虑绑定参数语法,并且可以编写更复杂的查询,而不必弄乱极长的字符串.请注意,它将识别 arangojs 集合实例并相应地处理它们.使用字符串而不是集合实例会导致与您的示例相同的问题.
This way you don't have to think about bind parameter syntax when writing queries and can write more complex queries without having to mess with extremely long strings. Note that it will recognize arangojs collection instances and handle them accordingly. Using a string instead of a collection instance would result in the same problems as in your example.
另外请注意,模板处理程序也存在于 arangosh shell 和 ArangoDB 本身中(例如,当使用 Foxx 时).
Additionally note that the template handler also exists in the arangosh shell and in ArangoDB itself (e.g. when using Foxx).
这篇关于使用 arangojs 将参数传递给 db.query的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
