我的书签
添加书签
移除书签Writing queries
Any values passed via interpolation (i.e. using the ${expression} syntax)are passed to ArangoDB as,so you don’t have to worry about escaping them in order to protect againstinjection attacks in user-supplied data.
The result of the executed query isan ArangoDB array cursor.You can extract all query results using the toArray() method orstep through the result set using the next() method.
You can also consume a cursor with a for-loop:
const cursor = query`FOR i IN 1..5RETURN i`;for (const item of cursor) {console.log(item);}
When you generallywant to avoid hardcoding exact collection names. But if you pass acollection name directly to a query it will be treated as a string:
// THIS DOES NOT WORKconst users = module.context.collectionName("users");// e.g. "myfoxx_users"const admins = query`FOR user IN ${users}FILTER user.isAdminRETURN user`.toArray(); // ERROR
Note that you don’t need to use any different syntax to usea collection in a query, but you do need to make sure the collection isan actual ArangoDB collection object rather than a plain string.
In addition to the query template tag, ArangoDB also providesthe aql template tag, which only generates a query objectbut doesn’t execute it:
const { db, aql } = require("@arangodb");const max = 7;const query = aql`FOR i IN 1..${max}RETURN i`;
You can also use the db._query method to execute queries usingplain strings and passing the bind parameters as an object:
// Note the lack of a tag, this is a normal stringFOR user IN @@usersFILTER user.isAdminRETURN user`;const admins = db._query(query, {// We're passing a string instead of a collection// because this is an explicit collection bind parameter// using the AQL double-at notation"@users": module.context.collectionName("users")}).toArray();
Note that when using plain strings as queries ArangoDB providesno safeguards to prevent accidental AQL injections:
If you need to insert AQL snippets dynamically, you can still usethe query template tag by using the aql.literal helper function tomark the snippet as a raw AQL fragment:
const filter = aql.literal(adminsOnly ? 'FILTER user.isAdmin' : '');const result = query`FOR user IN ${users}${filter}RETURN user`.toArray();
Both the query and aql template tags understand fragments markedwith the aql.literal helper and inline them directly into the queryinstead of converting them to bind parameters.
Note that because the aql.literal helper takes a raw string as argumentthe same security implications apply to it as when writing raw AQL queriesusing plain strings:
// Malicious user input where you might expect a conditionconst evil = "true REMOVE u IN myfoxx_users";const filter = aql.literal(`FILTER ${evil}`);const result = query`${filter}RETURN user`.toArray();// Actual query executed by the code:// FOR user IN myfoxx_users// FILTER true// REMOVE user IN myfoxx_users// RETURN user
A typical scenario that might result in an exploit like this is takingarbitrary strings from a search UI to filter or sort results by a field name.Make sure to restrict what values you accept.
However to help testability and make the queries more reusable,it’s often a good idea to move them out of your request handlersinto separate functions, e.g.:
// in queries/get-user-emails.js"use strict";const { query, aql } = require("@arangodb");const users = module.context.collection("users");module.exports = (activeOnly = true) => query`FOR user IN ${users}${aql.literal(activeOnly ? "FILTER user.active" : "")}RETURN user.email`.toArray();// in your routerconst getUserEmails = require("../queries/get-user-emails");router.get("/active-emails", (req, res) => {res.json(getUserEmails(true));});router.get("/all-emails", (req, res) => {
