I’m working on a Node.js project with an Apollo GraphQL server and Dgraph with DQL. I’d really like to allow users to specify precisely which edges to query in Dgraph.
For example, suppose I have a simple User
type in DQL:
type User {
firstName
lastName
emailAddress
phoneNumber
}
firstName: string .
lastName: string .
emailAddress: string .
phoneNumber: string .
And suppose my server has received a request with a list of desired edges, which I have confirmed are valid User
edges:
const edges = ['firstName', 'emailAddress']
Will my database be vulnerable to an injection attack if I do the following?
const query = `
users(func: type(User)) {
${edges.join('\n')}
}
`
const response = await txn.query(query)
return response.getJson().users