Query.EQ behavior with null value - produces empty query
783 views
Skip to first unread message
nuha
Jan 11, 2012, 9:29:24 PM1/11/12
to mongod...@googlegroups.com
In C#, when using Query.EQ(string, object), the following was observed:
When null is passed as a value, the builder creates a null query {}. (less than expected)
When and empty string is passed, the builder creates a query with rvalue of empty string. (expected)
The danger is that unless well guarded, this can produce a query matching unintended records. Bad for security, bad for updates..
Is this a documented behavior?
The more explicity Query.EQ("foo": new BsonString(null)) would throw, but to the uninitiated all of this is very un-intuitive.
-------------------------
[TestMethod]
public void MongoDbQuery_EqWithNullString_ConstructsNullQuery()
{
string id = null;
var query = Query.EQ("OwnerId", id);
Assert.AreEqual("{ }", query.ToString());
}
[TestMethod]
public void MongoDbQuery_EqWithEmptyString_ConstructsNullQuery()
{
string id = "";
var query = Query.EQ("OwnerId", id);
Assert.AreEqual("{ \"OwnerId\" : \"\" }", query.ToString());
}
Robert Stam
Jan 11, 2012, 10:30:24 PM1/11/12
to mongod...@googlegroups.com
It's a result of BsonDocument functional construction treating C# nulls the same way as XDocument does (in other words, C# nulls are ignored).
The way to search for a BSON null is to use the BsonNull.Value constant:
Query.EQ("fieldname", BsonNull.Value);
--
You received this message because you are subscribed to the Google Groups "mongodb-user" group.
To view this discussion on the web visit https://groups.google.com/d/msg/mongodb-user/-/DQJ7ZTQHstsJ.
To post to this group, send email to mongod...@googlegroups.com.
To unsubscribe from this group, send email to mongodb-user...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/mongodb-user?hl=en.
nuha
Jan 12, 2012, 2:34:52 AM1/12/12
to mongodb-user
Yes.
The thing is - how many users would spot the issue by just looking at
the function?
Some documentation around this may prevent this eventuality.
The API user would expect that it would produce some form of {"field":
xyz} whatever xyz becomes. The result of no field at all is what is of
concern here and is not intuitive from the signature and not
documented to behave this or any other way.
On Jan 11, 7:30 pm, Robert Stam <rob...@10gen.com> wrote:
> It's a result of BsonDocument functional construction treating C# nulls the
> same way as XDocument does (in other words, C# nulls are ignored).
>
> The way to search for a BSON null is to use the BsonNull.Value constant:
>
> Query.EQ("fieldname", BsonNull.Value);
>
>
>
>
>
>
>
> On Wed, Jan 11, 2012 at 6:29 PM, nuha <nuri.halpe...@gmail.com> wrote:
> > In C#, when using Query.EQ(string, object), the following was observed:
> > When null is passed as a value, the builder creates a null query {}. (less
> > than expected)
> > When and empty string is passed, the builder creates a query with rvalue
> > of empty string. (expected)
>
> > The danger is that unless well guarded, this can produce a query matching
> > unintended records. Bad for security, bad for updates..
>
> > Is this a documented behavior?
> > The more explicity Query.EQ("foo": new BsonString(null)) would throw, but
> > to the uninitiated all of this is very un-intuitive.
>
> > -------------------------
> > [TestMethod]
> > public void MongoDbQuery_EqWithNullString_ConstructsNullQuery()
> > {
> > string id = null;
> > var query = Query.EQ("OwnerId", id);
> > Assert.AreEqual(*"{ }"*, query.ToString());
The thing is - how many users would spot the issue by just looking at
the function?
Some documentation around this may prevent this eventuality.
The API user would expect that it would produce some form of {"field":
xyz} whatever xyz becomes. The result of no field at all is what is of
concern here and is not intuitive from the signature and not
documented to behave this or any other way.
On Jan 11, 7:30 pm, Robert Stam <rob...@10gen.com> wrote:
> It's a result of BsonDocument functional construction treating C# nulls the
> same way as XDocument does (in other words, C# nulls are ignored).
>
> The way to search for a BSON null is to use the BsonNull.Value constant:
>
> Query.EQ("fieldname", BsonNull.Value);
>
>
>
>
>
>
>
> On Wed, Jan 11, 2012 at 6:29 PM, nuha <nuri.halpe...@gmail.com> wrote:
> > In C#, when using Query.EQ(string, object), the following was observed:
> > When null is passed as a value, the builder creates a null query {}. (less
> > than expected)
> > When and empty string is passed, the builder creates a query with rvalue
> > of empty string. (expected)
>
> > The danger is that unless well guarded, this can produce a query matching
> > unintended records. Bad for security, bad for updates..
>
> > Is this a documented behavior?
> > The more explicity Query.EQ("foo": new BsonString(null)) would throw, but
> > to the uninitiated all of this is very un-intuitive.
>
> > -------------------------
> > [TestMethod]
> > public void MongoDbQuery_EqWithNullString_ConstructsNullQuery()
> > {
> > string id = null;
> > var query = Query.EQ("OwnerId", id);
> > }
>
> > [TestMethod]
> > public void MongoDbQuery_EqWithEmptyString_ConstructsNullQuery()
> > {
> > string id = "";
> > var query = Query.EQ("OwnerId", id);
> > Assert.AreEqual(*"{ \"OwnerId\" : \"\" }"*, query.ToString());
>
> > [TestMethod]
> > public void MongoDbQuery_EqWithEmptyString_ConstructsNullQuery()
> > {
> > string id = "";
> > var query = Query.EQ("OwnerId", id);
Robert Stam
Jan 12, 2012, 3:00:41 AM1/12/12
to mongod...@googlegroups.com
Agreed that this should be better documented.
I have created a JIRA ticket for this:
Reply all
Reply to author
Forward
0 new messages