Fork me on GitHub
#datomic
<
2015-08-24
>
a.espolov09:08:42

(GET "/api/group/: id/children" [id] (do (println "a" id (d/pull (d/db conn) ' [*] id)) ...)) Guys what's the catch? the route takes the get parameter id and it is not empty, but d/pull gets even the score or anything. If you change the id code on a real id'nik from the database then all works

tcrayford10:08:21

is id from the route a string?

a.espolov10:08:44

tcrayford: yes, sorry(

tcrayford10:08:07

np 😉

tcrayford10:08:16

I'd bet that's it, right?

a.espolov10:08:29

a silly question

robert-stuttaford10:08:59

wrap id with (Long. id) and it should be good

robert-stuttaford10:08:20

also, be aware it’s not advisable to use internal entity ids as external identifiers

tcrayford10:08:56

yeah, use a squuid

a.espolov10:08:40

@robert-stuttaford: But what about the dreovvidnye data structure which leaves refer to similar entities?

robert-stuttaford10:08:11

the entity ids are not guaranteed to be stable between database backup/restore. tcrayford knows the details

robert-stuttaford10:08:27

if you want to keep a reference to an entity, you should use one of your own making

robert-stuttaford10:08:41

lookup refs make this pretty straightforward to do

tcrayford10:08:53

obviously you're still fine doing a pull from that - if you avet it and use a lookup ref it's real easy

tcrayford10:08:22

in other news, I think I figured out how to do "injection" (like sql injection) to datomic, iff you have external endpoints that accept EDN or transit

tcrayford10:08:03

(at least: I think I did. I'm unsure if it actually works thinking about it)

tcrayford10:08:48

@a.espolov: oh, you have EDN endpoints that point at datomic?

tcrayford10:08:53

(or transit)

tcrayford10:08:01

I need to check it, and don't have time for that…

tcrayford10:08:46

but tldr: (d/q [:find WHATEVER :in $ ?id [?id :some/attribute whatever]] db id) - if id comes from EDN, can't you just pass this EDN string: {:id (d/q WHATEVER_QUERY_YOU_WANNA_DO_FOR_INJECTION $)}

tcrayford10:08:08

reminder about "blind" database injection as well - even if you never display results of the query you can still work out the entire database

tcrayford10:08:03

(google "blind sql injection" if you wanna blow your mine a bit)

a.espolov10:08:39

@tcrayford: is it sql injection is not requests to add/update records in the database?

tcrayford10:08:00

I don't think I understand…

a.espolov10:08:43

@tcrayford: I do not understand correctly d/q-besides result set could execute insert/update?

tcrayford10:08:23

oh, not insert

tcrayford10:08:52

but even so, an attacker can query literally every entity/attribute/value in your db, which is quite a big deal

a.espolov10:08:58

@tcrayford: but it is when a request is going to fly, rather than rigidly prescribed to each endpoint

robert-stuttaford12:08:37

tcrayford: your example query is missing :where. you wouldn’t be able to inject arbitrary clauses like that

tcrayford16:08:37

@robert-stuttaford: haha yeah. Just pretend it has it ;)

a.espolov16:08:27

@robert-stuttaford: "if you want to keep a reference to an entity, you should use one of your own making" This is what options to save a reference to the enity?)

robert-stuttaford17:08:10

for example, make your own uuid attr and use that in your urls

sdegutis19:08:42

Is it possible to make a transaction where it will do nothing (be a no-op) if the lookup-ref is invalid and returns no matching entity?

sdegutis19:08:10

So like [:db/add [:user/email maybe-email] :user/name "bob"]

sdegutis19:08:25

Where that'll work if maybe-email has a match but no-op (without throwing an exception) if it doesn't?

shaunxcode19:08:47

where your goal is to avoid having a "nothing happened" transaction?

sdegutis19:08:19

Right, especially one that does not throw an exception.

shaunxcode20:08:13

as far as I am aware there is not a way w/o the throwing of exception - are you just annoyed by the empty transaction?

bostonaholic20:08:06

@sdegutis: I would just wrap in try/catch and have the catch block be empty

bostonaholic20:08:44

and only catch that particular exception, maybe rethrow if another exception occurs

arohner21:08:06

given a txid, how do I find the contents of the transaction?

Alex Miller (Clojure team)21:08:24

[:find ?e ?a ?v ?op :in $ ?txid :where [?e ?a ?v ?txid ?op]] ;; something like that via a query (excuse typos)

arohner22:08:19

(d/q '[:find ?e :in $ ?tx :where [?e ?tx ?op]] db txid) Exception Insufficient bindings, will cause db scan datomic.datalog/fn--6468 (datalog.clj:368)

arohner22:08:17

(:data (first (d/tx-range (d/log dev-conn) txid (inc txid))) works, but I’d like to understand how to make that q work

arohner22:08:52

also, that’s slightly annoying because I need a conn rather than a db