Home > Mobile >  Is in mongodb something like prepared statements in php for security?
Is in mongodb something like prepared statements in php for security?

Time:11-02

I am just learning mongodb and have one important question. Is in mongodb something for security like its in php? In php I could use something like:

$stmt = $this->conn->prepare("UPDATE news SET shown = shown 1 WHERE newsID = :newsID");
$stmt->bindValue(":newsID", $id, PDO::PARAM_INT);
$stmt->execute();

But what in mongodb? Its weird to see inserting variables directly into mongodb insert statement like:

db.products.insertOne( { _id: 10, "item": itemName, "qty": itemQuantity } );

Thank you for your explanation!

CodePudding user response:

Unless you would construct something like

db.products.insertOne( JSON.parse('{ _id: 10, "item": itemName, "qty": itemQuantity }') )

an SQL injections would be rather difficult. I guess no one does such code voluntarily.

When you run have statement like db.find({"someProperty": userInput}) and a hacker tries to pass {"$exists": true} then it will result into db.find({"someProperty": "{\"$exists\": true}"}) which should not return any result.

But as mentioned, using JSON.parse() or similar could be a security flaw.

Page link:https//www.codepudding.com/Mobile/175244.html

Prev:MongoDB: Updating a document with existing fields using aggregation
Next:How to get mongodb collection iterator?
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding