Can be used to assign a value to a variable which can be used within a query.
Variable can be created with QUERY privileges since they do not modify
the collection’s data.
To create a variable, just assign a value to a valid name.
Some valid examples:
_ = ...tmp = ...var1 = ...Variables created within a closure become local. They can only be used within the closure body. See the example below:
a = 'This is a variable!!!';
b = 'Hello';
(||{
/* This will create a new, local, variable `a` */
a = 'New variable within this block';
/* This will update the global variable `b` */
b += ' World';
}).call();
[a, b];
Return value in JSON format
[
"This is a variable!!!",
"Hello World"
]
When running a query to ThingsDB, it is possible to inject variables into the code. This is easy, safe, and in some cases even necessary when for example inserting binary data.
Python example:
# inject a variable into the code:
client.query('.a = a;', a=1)
Consider you have some user input which is supposed to contain a name, and you want to store that name in ThingsDB.
# Variable `user_input` is supposed to contain a name like `Bob`
client.query(f'.name = "{user_input}";')
Instead of a name, a user could insert something like this: Bob"; .XXX = "This system is hacked!. This would result in the following query statement:
.name = "Bob"; .XXX = "This system is hacked!";
This is very dangerous and definitely not what we want but luckily ThingsDB has a simple solution: variable injection
client.query('.name = inp;', inp=user_input)
Using variable injection we can parse user input in a safe and secure way to ThingsDB.