1.0.1 • Published 8 years ago

think-qs v1.0.1

Weekly downloads
3
License
MIT
Repository
github
Last release
8 years ago

think-qs

Build Status Coverage Status npm

Use qs module to parse query & post data, support array & object value.For example, the string 'foobar=baz' converts to: 

foo: {
  bar: 'baz'
}

Installation

npm install think-qs

think-qs need thinkjs version >=3.2.2.

How to use

Config file src/config/middleware.js (in multi mode, file is src/common/config/middleware.js), add middleware after payload:

const qs = require('think-qs');
module.exports = [
  ...
  {
    handle: 'payload'
  },
  {
    handle: qs,
    options: {

    }
  }
]

After config, you can get array & object value by this.get or this.post in controller.

options

This middleware support follow options:

  • query: true, enable use qs to parse querystring
  • post: true, enable use qs to parse post data

You can find more options from https://github.com/ljharb/qs.

Security

If you use this middleware, you must be careful about security. some ORM support array/object in where conditions, it may be cause SQL injections.

// http://docs.sequelizejs.com/manual/tutorial/querying.html
Post.findAll({
  where: {
    id: this.get('id')
  }
});

In here, we want id is an integer, but when url is /pathname?id[$gt]=6, id value is an object:

{
  $gt: 6
}

then where conditions is not we wanted, it caused SQL injection. you can config logic to resolve this security problems.

module.exports = class extends think.Logic {
  indexAction() {
    this.rules = {
      id: {
        int: true
      }
    }
  }
}

you can get more information about logic from https://thinkjs.org/zh-cn/doc/3.0/logic.html.

qs
qs
@infinitebrahmanuniverse/nolb-thin@everything-registry/sub-chunk-2937
1.0.1

8 years ago