Feature Request: Seperate query from data for easier and safer operations about arangodb HOT 3 CLOSED

@Virock : the separation of the query string and the so-called "bind parameters" is already possible.
For example, in the ArangoShell (arangosh) you could use something like:

db._query("FOR doc IN @@collection FILTER doc.value == @value RETURN doc", { "@collection": "foo", "value": "bar" });

Bind parameters start with @. Single-@ bind parameters are value bind parameters, and bind parameters with two @@ are collection name bind parameters.

The database's HTTP API also supports this separation since the very beginning. On the REST API level, it would look like this:

curl -X POST http://127.0.0.1:8529/_api/cursor --data '{"query":"FOR doc IN @@collection FILTER doc.value == @value RETURN doc", "bindVars": {"@collection": "foo", "value": "bar" }}'

The same separation should also be supported by drivers.

from arangodb.

I think I might not have described the feature properly.
What I'm saying is that, bindings are needed because the query and data are in the same place. The privileged instructions for the database (query) and the data (Potentially dangerous input from users) are in the same place.

If I have data as such:

{
"a": "b"
}

I currently have to add that data into a query and of course, put bindings to avoid AQL injection because the data was placed into the query. I'm trying to say that the initial problem is the fact that the unsafe data was added into the query.

The simple solution is to do what MongoDB did. They separated the data from the query entirely.
This does 2 things.

1. The data (JSON) doesn't need to be changed into anything else anymore. You simply pass the data as is to the system.
2. There is no longer any need for bindings because the data is no longer in a privileged location (query).

I won't need to start writing for loops every time I get a JSON array that needs to be placed into the database.
I would simply write something in the line of:

db.query({
query: "INSERT IN SomeCollection",
data: {
"a": "b",
"c": "INSERT IN ABC"
}
});

Notice the key c has something that looks like AQL injection but it won't matter because it isn't in the query. It's just a string that needs to be placed in the database.

Do you understand my point now?

from arangodb.

@Virock : I think I don't yet get the point.
Doing something like

db._query("FOR doc IN @@collection FILTER doc.value == @value RETURN doc", { "@collection": "foo", "value": "bar" });

in ArangoDB should do exactly that. Whatever value gets put into @@collection here will be interpreted as a collection name parameter. Whatever value gets put into @value will be interpreted as a JSON value (e.g. the string "bar"). None of the bind parameter values can change the meaning of the query.
For example, trying to perform parameter injection such as

db._query("FOR doc IN test FILTER doc.value == @value RETURN doc", { "value": "1 || (INSERT {} INTO test)" });

is pointless exactly because the bind parameter values won't change the meaning of the query in any way.

from arangodb.