New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature Request: Seperate query from data for easier and safer operations #20879
Comments
@Virock : the separation of the query string and the so-called "bind parameters" is already possible.
Bind parameters start with The database's HTTP API also supports this separation since the very beginning. On the REST API level, it would look like this:
The same separation should also be supported by drivers. |
I think I might not have described the feature properly. If I have data as such:
I currently have to add that data into a query and of course, put bindings to avoid AQL injection because the data was placed into the query. I'm trying to say that the initial problem is the fact that the unsafe data was added into the query. The simple solution is to do what MongoDB did. They separated the data from the query entirely.
I won't need to start writing for loops every time I get a JSON array that needs to be placed into the database.
Notice the key c has something that looks like AQL injection but it won't matter because it isn't in the query. It's just a string that needs to be placed in the database. Do you understand my point now? |
@Virock : I think I don't yet get the point.
in ArangoDB should do exactly that. Whatever value gets put into
is pointless exactly because the bind parameter values won't change the meaning of the query in any way. |
I'm trying to add this issue as a feature request but I don't see any button I could click to mark it as such. This is not a bug report. It's a feature request.
My Environment
Component, Query & Data
Affected feature:
AQL query with driver
AQL query (if applicable):
AQL explain and/or profile (if applicable):
N/A
Dataset:
Size of your Dataset on disk:
N/A
Replication Factor & Number of Shards (Cluster only):
N/A
Steps to reproduce
Problem:
I have to convert the JSON array (Already formatted data) into a query string while creating bindings to avoid injection attacks
Expected result:
Wouldn't it be much better to handle this the way MongoDB does?
The query and the data should be separated.
Instead of passing a query (Which includes the instructions for the database from the developer and the data which is untrusted information from a potential bad actor) and bindVars arguments to the driver (The entire reason for bindings is because the data and instructions are in the same place). Wouldn't it be better to pass a query (Only instructions for the database) and data (JSON).
So, I'll be able to insert data like so:
The text was updated successfully, but these errors were encountered: