Comments (3)
@Virock : the separation of the query string and the so-called "bind parameters" is already possible.
For example, in the ArangoShell (arangosh) you could use something like:
db._query("FOR doc IN @@collection FILTER doc.value == @value RETURN doc", { "@collection": "foo", "value": "bar" });
Bind parameters start with @
. Single-@
bind parameters are value bind parameters, and bind parameters with two @@
are collection name bind parameters.
The database's HTTP API also supports this separation since the very beginning. On the REST API level, it would look like this:
curl -X POST http://127.0.0.1:8529/_api/cursor --data '{"query":"FOR doc IN @@collection FILTER doc.value == @value RETURN doc", "bindVars": {"@collection": "foo", "value": "bar" }}'
The same separation should also be supported by drivers.
from arangodb.
I think I might not have described the feature properly.
What I'm saying is that, bindings are needed because the query and data are in the same place. The privileged instructions for the database (query) and the data (Potentially dangerous input from users) are in the same place.
If I have data as such:
{
"a": "b"
}
I currently have to add that data into a query and of course, put bindings to avoid AQL injection because the data was placed into the query. I'm trying to say that the initial problem is the fact that the unsafe data was added into the query.
The simple solution is to do what MongoDB did. They separated the data from the query entirely.
This does 2 things.
- The data (JSON) doesn't need to be changed into anything else anymore. You simply pass the data as is to the system.
- There is no longer any need for bindings because the data is no longer in a privileged location (query).
I won't need to start writing for loops every time I get a JSON array that needs to be placed into the database.
I would simply write something in the line of:
db.query({
query: "INSERT IN SomeCollection",
data: {
"a": "b",
"c": "INSERT IN ABC"
}
});
Notice the key c has something that looks like AQL injection but it won't matter because it isn't in the query. It's just a string that needs to be placed in the database.
Do you understand my point now?
from arangodb.
@Virock : I think I don't yet get the point.
Doing something like
db._query("FOR doc IN @@collection FILTER doc.value == @value RETURN doc", { "@collection": "foo", "value": "bar" });
in ArangoDB should do exactly that. Whatever value gets put into @@collection
here will be interpreted as a collection name parameter. Whatever value gets put into @value
will be interpreted as a JSON value (e.g. the string "bar"
). None of the bind parameter values can change the meaning of the query.
For example, trying to perform parameter injection such as
db._query("FOR doc IN test FILTER doc.value == @value RETURN doc", { "value": "1 || (INSERT {} INTO test)" });
is pointless exactly because the bind parameter values won't change the meaning of the query in any way.
from arangodb.
Related Issues (20)
- Can't add a index collection contains primary sort different config primary sort of previous indexes to a search-alias view HOT 8
- High Security vulnerability in Runc HOT 1
- Error doing filtered upsert query, comparing the keys of 2 vertexes HOT 2
- Upgrade from 3.11.9-1 to 3.11.10-1 via apt failed HOT 2
- What's solution for adding new sort index to an existed view
- ArangoSearch storedValues: include fields from objects under array, ie. `array[*].field` HOT 2
- Feature request: use MEDIAN() funtion in AGGREGATE statement HOT 6
- Duplicate returned documents when using search-alias view HOT 3
- Can't Update Stored Value/Primary Sorted Fields and Low AQL Query Speed from a View That Being Inserted in Parallel
- Can't Update Stored Value/Primary Sorted Fields and Low AQL Query Speed from a View That Being Inserted in Parallel
- Arango stalls, fails to process any query and even a restart doesn't help HOT 1
- Critical Security Vulnerabilities in Latest version of Arango Db HOT 5
- ArangoSearch: "AQL: too many collections/shards (while optimizing plan)" HOT 3
- AQL Analyzer with number return type gives odd results when getting tokens HOT 2
- WebUI feature request
- ArangoDB Version: 3.12.1 | java.lang.NumberFormatException: For input string: "" HOT 2
- AQL join query returning results when it should return an empty set HOT 23
- Docker build, entering password fails HOT 1
- No longer able to delete queries in the WebUI Queries library HOT 2
- Projections of edges in path in graph traversal does not contain specified fields HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from arangodb.