Writing queries

Any values passed via interpolation (i.e. using the ${expression} syntax)are passed to ArangoDB asAQL bind parameters,so you don’t have to worry about escaping them in order to protect againstinjection attacks in user-supplied data.

The result of the executed query is.You can extract all query results using the toArray() method orstep through the result set using the next() method.

You can also consume a cursor with a for-loop:

const cursor = query`
  FOR i IN 1..5
  RETURN i
`;
for (const item of cursor) {
  console.log(item);
}

When working with collections in your service you generallywant to avoid hardcoding exact collection names. But if you pass acollection name directly to a query it will be treated as a string:

// THIS DOES NOT WORK
const users = module.context.collectionName("users");
// e.g. "myfoxx_users"
const admins = query`
  FOR user IN ${users}
  FILTER user.isAdmin
  RETURN user
`.toArray(); // ERROR

Note that you don’t need to use any different syntax to usea collection in a query, but you do need to make sure the collection isan actual ArangoDB collection object rather than a plain string.

In addition to the query template tag, ArangoDB also providesthe aql template tag, which only generates a query objectbut doesn’t execute it:

const { db, aql } = require("@arangodb");
const max = 7;
const query = aql`
  FOR i IN 1..${max}
  RETURN i
`;

You can also use the db._query method to execute queries usingplain strings and passing the bind parameters as an object:

// Note the lack of a tag, this is a normal string
  FOR user IN @@users
  FILTER user.isAdmin
  RETURN user
`;
const admins = db._query(query, {
  // We're passing a string instead of a collection
  // because this is an explicit collection bind parameter
  // using the AQL double-at notation
  "@users": module.context.collectionName("users")
}).toArray();

Note that when using plain strings as queries ArangoDB providesno safeguards to prevent accidental AQL injections:

If you need to insert AQL snippets dynamically, you can still usethe query template tag by using the aql.literal helper function tomark the snippet as a raw AQL fragment:

const filter = aql.literal(
  adminsOnly ? 'FILTER user.isAdmin' : ''
);
const result = query`
  FOR user IN ${users}
  ${filter}
  RETURN user
`.toArray();

Both the query and aql template tags understand fragments markedwith the aql.literal helper and inline them directly into the queryinstead of converting them to bind parameters.

Note that because the aql.literal helper takes a raw string as argumentthe same security implications apply to it as when writing raw AQL queriesusing plain strings:

// Malicious user input where you might expect a condition
const evil = "true REMOVE u IN myfoxx_users";
const filter = aql.literal(`FILTER ${evil}`);
const result = query`
  ${filter}
  RETURN user
`.toArray();
// Actual query executed by the code:
// FOR user IN myfoxx_users
// FILTER true
// REMOVE user IN myfoxx_users
// RETURN user

A typical scenario that might result in an exploit like this is takingarbitrary strings from a search UI to filter or sort results by a field name.Make sure to restrict what values you accept.

However to and make the queries more reusable,it’s often a good idea to move them out of your request handlersinto separate functions, e.g.:

// in queries/get-user-emails.js
"use strict";
const { query, aql } = require("@arangodb");
const users = module.context.collection("users");
module.exports = (activeOnly = true) => query`
  FOR user IN ${users}
  ${aql.literal(activeOnly ? "FILTER user.active" : "")}
  RETURN user.email
`.toArray();
// in your router
const getUserEmails = require("../queries/get-user-emails");
router.get("/active-emails", (req, res) => {
  res.json(getUserEmails(true));
});
router.get("/all-emails", (req, res) => {