mongodb eval executes server side scripts

The javascript script can be executed on the server side through the db.eval function, or you can save the javascript script in the database and call it from another database command.

1. db.eval executes server-side scripts

The javascript script can be executed on the MongoDB server side using the db.eval function, which first passes the given javascript string to the MongoDB server, executes it on the server, and returns the result.
db.eval can be used to simulate multi-document transactions: db.eval locks the database, then executes javascript, and then unlocks it. Although there is no built-in rollback mechanism, this ensures that series 1 operations take place in the specified number order.
There are two ways to send code, encapsulating 1 function or unencapsulating, such as:

db.eval("return 'refactor';")

db.eval("function(){return 'refactor';}")

The function must be encapsulated as a function only when parameters are passed. The parameters are passed through the second parameter of db.eval, which is written as an array.
Such as:

db.eval("function(name){return 'hello,'+name;}",['refactor'])

If the expression for db.eval is complex, the way to debug it is to write the debug information into the database log
Such as:

db.eval("print('hello refactor')")

This way you can find hello refactor in the log

2. Storage javascript

Each MongoDB database has a special collection: system.js for the javascript variables, which can be called in any MongoDB javascript context, including the "$where" clause, db.eval calls,MapReduce jobs, system.js
Such as:

db.system.js.insert({"_id":"x","value":1})

db.system.js.insert({"_id":"y","value":2})

db.system.js.insert({"_id":"z","value":3})

The above example defines x,y,z in the global scope and sums them:

db.eval("return x+y+z;")

system.js can store javascript code so that you can easily customize some scripts, such as writing a log function with javascript and storing it in system.js:

db.system.js.insert(

　　{

　　　　"_id":"log",

　　　　"value":function(msg,level)

　　　　　　　　{

　　　　　　　　　　var levels=["DEBUG","WARN","ERROR","PATAL"];

　　　　　　　　　　level=level?level:0;

　　　　　　　　　　var now= new Date();

　　　　　　　　　　print( now +" "+ levels[level]+msg);

　　　　　　　　}

　　}

)

Call:

db.eval("log('refactor bolg test',1)")

The disadvantage of using stored javascript is that the code is detached from regular source control and messes up the javascript sent by the client.
The best way to use javascript is to use one javascript function at a time in your application, so if you want to update this function, you can use javascript instead of changing it all. If your javascript code is very long and tedious to use, you can also use javascript storage, which will save you a lot of transfer time once.

3. The security

To execute the javascript code, consider the security of MongoDB.
Such as:

>func="function(){print('hello,"+username+"!');}"

If username is user-defined, you can use a string like "'); db. dropDatabase (); print (' ",
The code looks like this:

>func="function(){print('hello,');db.dropDatabase();print('!');}"

To avoid this, scope it.
Most drivers is passed to the database code provides one kind of special type, this is because the code can actually be seen as a string and a combination of scope. The scope is the one holds a variable name and value mapping document. When javascript function to perform this mapping, make up the function of the local scope.