Use qs module to parse query & post data, support array & object value.For example, the string 'foo[bar]=baz' converts to:
foo: {
bar: 'baz'
}npm install think-qsthink-qs need thinkjs version >=3.2.2.
Config file src/config/middleware.js (in multi mode, file is src/common/config/middleware.js), add middleware after payload:
const qs = require('think-qs');
module.exports = [
...
{
handle: 'payload'
},
{
handle: qs,
options: {
}
}
]After config, you can get array & object value by this.get or this.post in controller.
This middleware support follow options:
query: true, enable use qs to parse querystringpost: true, enable use qs to parse post data
You can find more options from https://github.com/ljharb/qs.
If you use this middleware, you must be careful about security. some ORM support array/object in where conditions, it may be cause SQL injections.
// http://docs.sequelizejs.com/manual/tutorial/querying.html
Post.findAll({
where: {
id: this.get('id')
}
});In here, we want id is an integer, but when url is /pathname?id[$gt]=6, id value is an object:
{
$gt: 6
}then where conditions is not we wanted, it caused SQL injection. you can config logic to resolve this security problems.
module.exports = class extends think.Logic {
indexAction() {
this.rules = {
id: {
int: true
}
}
}
}you can get more information about logic from https://thinkjs.org/zh-cn/doc/3.0/logic.html.