Am building an api using express and node.js.
I'm working on basic validation and want to verify items being passed in exist and are safe (done in addition to validation on client side).
So i have teh following:
router.post('/register', function(req, res) {
for (var itemsFromBody in req.body){
console.log(itemsFromBody);
}
However when i check the console all i see are the names of the Keys e.g. username, email etc, not the values themselves.
How do i obtain those?
Also I'll be doing validation on those eg making sure its not empty - do i need to follow a simple if-then statement or is there some nice npm package that exists that allows me to verify?
Thanks!
for (var itemsFromBodyIndex in req.body){
if (req.body.hasOwnProperty(itemsFromBodyIndex)) {
console.log(req.body[itemsFromBodyIndex]);
}
}
This should work !
Useful links:
https://developer.mozilla.org/fr/docs/Web/JavaScript/Reference/Instructions/for...in
https://developer.mozilla.org/fr/docs/Web/JavaScript/Reference/Objets_globaux/Object/hasOwnProperty
And what about an error catcher into the loop if all of your fields are required ?
for (var itemsFromBodyIndex in req.body){
if (req.body.hasOwnProperty(itemsFromBodyIndex)) {
console.log(req.body[itemsFromBodyIndex]);
if(req.body[itemsFromBodyIndex] == null){
// handle empty field
}
}
}
The for -- in will only give you keys, as you noticed above. You need to use those keys to get the values
for (var itemsFromBody in req.body){
console.log("Key: " + itemsFromBody + " Value: " + req.body[itemsFromBody]);
}
Related
Here is my goal :
Send an email through my interface with a custom value (Imagine, orderNumber186) then use it to filter all mails send or received by this value.
for example, I have a mail address with an icon, dans when I click on it I can see all discution with him, concerning the command (or whatever) that I'm on.
Exemple of a popup with mail info
If I'm on the order number 186, il click to the icon next to the mail and I see this popup with all mail received and send concerning this order precisely (Even the name or number is not mentionned, so not just a search query).
I consulted many documents from Microsoft as well as the forum, and this is all tests I carried out, with their advantages and problems :
internetMessageHeaders (example 2 form Microsoft doc, send mail)
With this solution, I can send a mail with my custom var easily, but it's impossible to get filtered mail with it, as it's said in this post.
Despite of it, I managed to filter myself, with foreach like this :
var listMail = [];
try {
//Look in all mails if they has an internetMessageHeaders with a name corresponding to var filterName
Providers.globalProvider.graph.client
.api("/me/mailFolders/SentItems/messages?$select=internetMessageHeaders")
.get((err, res) => {
if(err == null){
//Look if they are parameters
res.value.forEach(parameters => {
if(parameters.internetMessageHeaders != undefined){
//console.log(parameters);
//If Yes, loop for each internetMessageHeaders values to see if they have a corresponding name, then stock it inside a listMail array
parameters.internetMessageHeaders.forEach(element => {
if(element.name == filterName){
Providers.globalProvider.graph.client
.api("/me/messages/"+parameters.id)
.get((err, res) => {
listMail.push(res);
});
}
});
}
});
}
else {
console.log(err);
}
});
console.log('Email List => ', listMail)
}
catch (error) {
throw error;
}
So with this method, I can get all mail that contain internetMessageHeaders values.
Now, the problem :
For optimization, we definitely can't filter all mails to get mails that contain custom var, then fetch again to get the mail and store it in an handmade array, the best way is to do it with one query, to directly have all mails concerned.
For this, I've search about a second solution : singleValueLegacyExtendedProperty
I've found how to send mail with it, and even how to recover it.
When I use it, it work great when I fetch this request :
GET https://graph.microsoft.com/v1.0/me/mailFolders/SentItems/messages?$filter=singleValueExtendedProperties/any(ep:ep/id eq 'String {66f5a359-4659-4830-9070-00047ec6ac6e} Name MyName' and contains(ep/value, 'MyVar'))
My problem with this method, is that I can see all mail send, but if the client respond directly to the mail (By outlook for exemple), my var just disappear.
I think that it's not the case with x-var (internetMessageHeaders), but I'm stuck on it too.
So, my question is simple :
How to set a custom value to a mail, then filter all of it just by is custom value ?
Ideally, internetMessageHeaders is perfect, I just need to filter on it with a microsoft graph query directly.
Thank you for any help
I am trying to get the name, value field as cookies using loop. in my app.get method and then posting the field values in app.post method, I am using expressjs.
Can please anybody check the 'for loop' below and see my commented lines and brighten my knowledge on how to achieve the email field.
Please also check my uploaded image for UI.
var cookies = [];
if (req.cookies) {
for (var cookieName in req.cookies) {
var cookieValue = req.cookies[cookieName];
// var cookieEmail = req.cookies[cookieValue]; //I dont see my email being posted to server
cookies.push({ name: cookieName, value: cookieValue });
// cookies.push({ name: cookieName, value: cookieValue, email: cookieEmail });
}
}
The req.cookies is a JSON object. When looping over A javascript object you have to be careful you do not grab prototype data.
Take a look at this post here.
https://stackoverflow.com/a/684692/10067782
I am building a slack copy cat app for practice and want to implement the ability for users to create their own messaging space. When creating a message space, a unique key is created and stored to my database. My plan is to use these unique keys to serve the same html page that has the messaging functionality. In theory this would work, but I am having trouble retrieving the keys AND using them to route to my message.html file. Is there a way to run my server, retrieve the keys and store them to a global variable THEN route to the html page? I'm using Node, Express and MongoDB.
Here is what my code looks like on the back end to retrieve the keys:
var dbKeys = [];
db.messageSpaces.find({}, {"_id": 0, "name": 0}, function(error, data) {
if (error) {
console.log(error);
}
else {
for (var i = 0; i < data.length; i++) {
dbKeys.push(data[i].key);
}
}
});
And how I am attempted to route them:
for (var i = 0; i < dbKeys.length; i++) {
app.get(`/${dbKeys[i]}`, function(req, res) {
res.sendFile(path.join(__dirname, "public/message.html"));
});
}
I think I would use a single call to app.get and use one of the techniques described in https://expressjs.com/en/guide/routing.html#route-parameters to perform basic validation of the format. Perhaps something like this:
app.get('/:id([a-z0-9]{16})', function(req, res) {
console.log(req.params.id);
});
The above assumes that an id is 16 characters long and consists of lowercase letters and numbers only.
You would then check whether the message space id corresponds to a real message space inside the get handler. If it doesn't you could either handle the error or pass it on down the middleware chain by calling next() (you would need to add next as an argument to your handler for that to work).
I am using sockets.io to insert user-generated messages into MySQL, but I'm running into issues inserting records with an apostrophe. I've been trying to use the replace() method on the client side script, but the input text is passing with the apostrophe.
socket.on('refresh feed',function(msg){
str=msg.replace("'", "\'");
alert(str);
$("#chtxt").append(str + '<br />');
});
The above attempt will alert any string without the special character, but does not alert when it exist. I believe that I'm actually alerting after the message has been sent to sockets.
So, I tried adapting this code which watches for the enter key press to also watch for the apostrophe, with no luck there either.
$('#omnibox').keypress(function (e) {
var key = e.which;
if(key == 13) // the enter key code
{
$('input[name = "clicky"]').click();
return false;
}
if(key == 222) // the apostrophe key code
{
alert('Apostrophe!')
return false;
}
});
I researched the question of how to replace special characters for MySQL using javascript but found outdated stacks explaining why client-side validation for this is not a good idea.
That's fine. If I shouldn't do this client side, I need to know then how to do it in my server.js node script, then. It is still javascript, so a solution on either side, provided it's secure would be great.
Server-side code:
var add_status = function (status,callback) {
pool.getConnection(function(err,connection){
if (err) {
callback(false);
return;
}
connection.query("INSERT INTO `videosub` (`url`) VALUES ('"+status+"')",function(err,rows){
connection.release();
if(!err) {
callback(true);
}
});
connection.on('error', function(err) {
callback(false);
return;
});
});
}
Thanks!
Don't do it
You are asking about the wrong solution to the problem.
To replace the apostrophes with backslash-apostrophes you might use:
str = msg.replace(/'/g, '\\\'');
but you should not do that. I am only providing that info because that's what your question asks about but read below.
Why it's a bad idea
You shouldn't do it on the client side and you shouldn't do in on the server side either. If avoiding SQL injection vulnerabilities was a simple matter of replacing apostrophes with backslash-apostrophes then it wouldn't be an issue. Unfortunately it's more complicated.
Having the info that you provided it's even impossible to tell whether backslash-apostrophe would even do what you expect in the first place without seeing your code that actually makes the database queries. But it doesn't matter because you should never ever do that. Never. See those answers to see why - those questions are not about SQL injections but the code examples included SQL injection vulnerabilities and the answers explain it:
cannot use backtick when using nodejs 7.3.0
Node js - Promise Rejection Warning when process a lot of data
Is it possible to listen for object instantiation in Node.js?
Obligatory comic strip
What you should do instead
That having been said, you didn't tell what module you're using to query the database but no matter if you're using the mysql module or Sequelize or anything worth its salt, there should always be a mechanism of interpolating variables in a safe manner without manually escaping and concatenating the strings.
Examples
You didn't show even a single line of code that is relevant here so I cannot tell you how to fix it but consider this example:
Unsafe:
connection.query(
"SELECT * FROM player WHERE nick = '"
+ data.login + "' AND pass = '" + data.pass + "'",
function (err, rows) {
//...
}
);
Still unsafe, complex, unreadable, unmaintainable and unreliable:
connection.query(
"SELECT * FROM player WHERE nick = '"
+ data.login.replace(/'/g, '\\\'') + "' AND pass = '" + data.pass.replace(/'/g, '\\\'') + "'",
function (err, rows) {
//...
}
);
Safe and simple:
connection.query(
"SELECT * FROM player WHERE nick = ? AND pass = ?", [data.login, data.pass],
function (err, rows) {
// ...
}
);
More info
For more info see the docs:
https://www.npmjs.com/package/mysql
http://docs.sequelizejs.com/en/v3/
I am using Getstream.io nodejs module.
I am creating feeds at run time and want to know if there is a way to delete a feed through code?.
I see in the code base that there is a delete interface but when I looked in to RESTFul API documentation, I did not find any end point to delete a feed.
But when I look at Ruby documentation, I see that there is way to delete a feed.
Please let me know how can I achieve deleting a feed in getstream.io from nodejs
I was able to delete a feed using nodejs. It is just a hack but it will work.
But remember that deleting a feed means, it deletes all the activities from the feed. The feed still exists and can be seen through databrowser. The follow/following relationship still exists.
DeleteFeed = function(params,callback){
if (params.feedId) {
var feed = client.feed(params.feedType, params.feedId);
//remove followings
feed.following({limit:25,offset:0},function(err,r){
if (!err) {
for (var i = 0; i < r.body.results.length; i++) {
var tempFeed = r.body.results[i].target_id.split(':');
feed.unfollow(tempFeed[0], tempFeed[1]);
}
}
});
// do something similar as followings for followers
//(I did not have to worry about it hence did not write any code)
client.delete({
url: "feed/" + params.feedType + "/" + params.feedId + "/",
signature: feed.signature
}, function (e, r) {
//DO NOTHING
//console.log("Error -- " + e);
//console.log("Result -- " + JSON.stringify(r,null,2));
});
}
};
The delete operation is currently not supported by the nodejs client library. There is an api endpoint that supports this operation: feed, but the delete operation is not documented on the REST docs. You can delete feeds from the databrowser on the getsream.io dashboard.
You can achieve such thing by doing doing the logical delete behavior by:
modeling the feeds design to have a logical delete
use as must TO field as possible, so you can remove all activities of feeds added by To targeting field automatically
consider a follow feed design. Instead of remove activities you can just unfollow the deleted feed
map the foreign_id field properly in order of batching delete