node.js - Database Exposure: Best Practices -


i'm relatively new web programmer , i'm working on first major project. i'm using angular, express (on top of node), , graph database neo4j. right i'm trying determine best (in terms of security , speed optimization) way set how web app interacts database.

right feel i'm going blindly- i'm looking guide of best practices, security issues take account, , other relevant advice or pitfalls aware of in setting web app backend.

to put bit more concrete terms i'll give idea of how i'm setting routes right now. following routes setup in app.js file.

    //match database query functions function dataquery(req, res) {     var func = database[req.param('query')];     func(req, res); }     //match database create functions function datacreate(req, res) {     var func = database[req.param('create')];     func(req, res); } //handle data queries app.get('/query/:query', dataquery);  //handle adding new content app.post('/create/:create', datacreate)

essentially have set post or url goes , executes function. i'm naming function want run in url: /query/thenameofthefunction. these functions go , either build cypher query (neo4j's query language) utilizing information in request interact database or handles things adding user uploaded images.

example: creating content (url: /query/createcontent)

exports.createcontent = function (req, res) {      var content = json.parse(req.query.content);     var query = ("create (n:content {title: {title}, url: {url}, description: {description}, source: {source}, links: {links}, value: {valuestatement} })");      query = query.replace("{title}", "\"" + content.title + "\"");     query = query.replace("{url}", "\"" + content.url + "\"");     query = query.replace("{description}", "\"" + content.description + "\"");     query = query.replace("{source}", "\"" + content.source + "\"");     query = query.replace("{links}", "\"" + content.links + "\"");     query = query.replace("{valuestatement}", "\"" + content.valuestatement + "\"");     db.query(query, function (err, results) {        if (err) {res.send()};        res.send();    }); }

here i've got template query , drop in user generated information using replace.

example: adding images server (url: /create/addimage)

exports.addimage = function (req,res) {     var url = req.query.url;     var filename = req.query.filename;      console.log(req.query);     request(url).pipe(fs.createwritestream("./img/submittedcontent/" + filename));     res.send(); }

it seems approach not scalable i'm not sure how best organize code on server side.

one other specific example mention following case. query complicated , i've pushed creating client side (the query looks content related terms user has selected , varies in length accordingly). client sends query created passed neo4j api. there concerns here- if user able define query perform action on database (deleting or whatever). i'm not clear on how go doing exactly, seems feasible.

exports.getcontent = function (req, res) {     var query = req.query.query;          //would checking black/white list key terms enough security? (remove, create, set, etc)      db.query(query, function (err, results) {         if (err) {throw err};         res.send(results);     }); }

am going stuff wrong headed? i've never gotten formal introduction server side scripting , going off of things i've read. 'right way' need know way first...

just random pointers:

  • i suggest setting restful web api handle communication between angular , database; takes hassle out of having invent routes , means can use great libraries restangular (for client) , restify (for server) handle communications;
  • not sure neo4j driver you're using, i'm pretty sure support parameterized queries, meaning don't need query.replace() calls (see);
  • depending on number of images might uploaded, storing them in filesystem might okay, although should never trust passed filename; if want bit more scalability, consider using mongodb's gridfs;
  • never trust queries being passed client performed on server; if can build query on client side, can build on server side information passed client server (again, use parameterized queries);

Comments

Post a Comment

Popular posts from this blog

java.util.scanner - How to read and add only numbers to array from a text file -

i'm learning java , have question regarding reading file want read numbers file contains strings well. here example of file: 66.56 "3 java 3-43 5-42 2.1 1 and here coding: public class test { public static void main (string [] args){ if (0 < args.length) { file x = new file(args[0]); try{ scanner in = new scanner( new fileinputstream(x)); arraylist<double> test = new arraylist<>(); while(in.hasnext()){ if(in.hasnextdouble()){ double f=in.nextdouble(); test.add(f);} else {in.next();} } catch(ioexception e) { system.err.println("exception during reading: " + e); } } my problem add 66.56,2.1 , 1 doesn't add 3 after "3 or ignores 3-43 , 5-42 can tell me how skip strings , add doubles here? thanks all said 3 ie; "3, 3-43 , 4-42 strings either u read string , split , check number @ " , - or put in space between characters , integers. jvm after compilation tre...
Read more

rewrite - Trouble with Wordpress multiple custom querystrings -

i'm working on adding multiple querystring , doesn't seem work. i've found codes seems work others might i'm missing something. i want like: http://mydomain.com/board/?getyear=2013&getsometext2=sometext to http://mydomain.com/board/2013/sometext/ i added code below functions.php file. doesn't seem work should though. this works. echoing querystring gets both variable without problem. http://mydomain.com/board/2013/sometext/ but doesn't. tested querystring vis isset() seems nothing being set/get http://mydomain.com/board/2013/ function add_query_vars($vars) { $vars[] = "getyear"; $vars[] = "getsometext2"; return $vars; } add_filter('query_vars', 'add_query_vars'); function add_rewrite_rules($arules) { $anewrules = array('board/([^/]+)/([^/]+)/?$' => 'index.php?pagename=board&getyear=$matches[1]&getsometext2=$matches[2]'); $arules = $a...
Read more