开发者

SQL injections with noSQL databases?

开发者 https://www.devze.com 2023-01-14 22:08 出处：网络

I am using mongoDB currently, and I am wondering what measures we should take to ensure that any data that could cause problems isn\'t stored. I believe that 开发者_JAVA百科normal PHP functions like m

相关专题：mongodb php sql-injection

I am using mongoDB currently, and I am wondering what measures we should take to ensure that any data that could cause problems isn't stored. I believe that 开发者_JAVA百科normal PHP functions like mysql_escape_string isn't going to help here...

Is there SQL injections for noSQL databases and especially mongoDB?

If so, what can we do to protect us from them?

See MongoDB's documentation:

Generally, with MongoDB we are not building queries from strings, so traditional SQL Injection attacks are not a problem.

There are other issues to be aware of, so it's worth giving that page a read.

The documentation is wrong, In PHP you need to be careful of null-byte injection attacks (http://www.idontplaydarts.com/2011/02/mongodb-null-byte-injection-attacks/) as well as object injection (http://www.idontplaydarts.com/2010/07/mongodb-is-vulnerable-to-sql-injection-in-php-at-least/)