This page is not created by, affiliated with, or supported by Slack Technologies, Inc.
2015-08-24
Channels
- # admin-announcements (16)
- # announcements (2)
- # beginners (12)
- # boot (92)
- # cider (1)
- # clojure (149)
- # clojure-argentina (1)
- # clojure-australia (3)
- # clojure-dev (2)
- # clojure-italy (2)
- # clojure-japan (1)
- # clojure-russia (9)
- # clojurescript (48)
- # clojutre (2)
- # core-logic (18)
- # datomic (48)
- # editors (43)
- # emacs (11)
- # funcool (12)
- # hoplon (11)
- # ldnclj (30)
- # ldnproclodo (1)
- # rdf (6)
- # re-frame (13)
- # reagent (10)
- # testing (1)
- # yada (1)
(GET "/api/group/: id/children" [id] (do (println "a" id (d/pull (d/db conn) ' [*] id)) ...)) Guys what's the catch? the route takes the get parameter id and it is not empty, but d/pull gets even the score or anything. If you change the id code on a real id'nik from the database then all works
wrap id with (Long. id) and it should be good
also, be aware it’s not advisable to use internal entity ids as external identifiers
@robert-stuttaford: But what about the dreovvidnye data structure which leaves refer to similar entities?
the entity ids are not guaranteed to be stable between database backup/restore. tcrayford knows the details
if you want to keep a reference to an entity, you should use one of your own making
lookup refs make this pretty straightforward to do
obviously you're still fine doing a pull from that - if you avet it and use a lookup ref it's real easy
in other news, I think I figured out how to do "injection" (like sql injection) to datomic, iff you have external endpoints that accept EDN or transit
@tcrayford: I have?)
@a.espolov: oh, you have EDN endpoints that point at datomic?
but tldr: (d/q [:find WHATEVER :in $ ?id [?id :some/attribute whatever]] db id)
- if id
comes from EDN, can't you just pass this EDN string: {:id (d/q WHATEVER_QUERY_YOU_WANNA_DO_FOR_INJECTION $)}
reminder about "blind" database injection as well - even if you never display results of the query you can still work out the entire database
@tcrayford: is it sql injection is not requests to add/update records in the database?
@tcrayford: I do not understand correctly d/q-besides result set could execute insert/update?
but even so, an attacker can query literally every entity/attribute/value in your db, which is quite a big deal
@tcrayford: but it is when a request is going to fly, rather than rigidly prescribed to each endpoint
tcrayford: your example query is missing :where
. you wouldn’t be able to inject arbitrary clauses like that
@robert-stuttaford: haha yeah. Just pretend it has it ;)
@robert-stuttaford: "if you want to keep a reference to an entity, you should use one of your own making" This is what options to save a reference to the enity?)
for example, make your own uuid attr and use that in your urls
Is it possible to make a transaction where it will do nothing (be a no-op) if the lookup-ref is invalid and returns no matching entity?
Where that'll work if maybe-email has a match but no-op (without throwing an exception) if it doesn't?
where your goal is to avoid having a "nothing happened" transaction?
as far as I am aware there is not a way w/o the throwing of exception - are you just annoyed by the empty transaction?
@sdegutis: I would just wrap in try/catch and have the catch block be empty
and only catch that particular exception, maybe rethrow if another exception occurs
[:find ?e ?a ?v ?op :in $ ?txid :where [?e ?a ?v ?txid ?op]] ;; something like that via a query (excuse typos)
or use the log directly http://docs.datomic.com/log.html
(d/q '[:find ?e :in $ ?tx :where [?e ?tx ?op]] db txid) Exception Insufficient bindings, will cause db scan datomic.datalog/fn--6468 (datalog.clj:368)