Home > other >  findOneBy() - Sanitize email input - mongodb-odm 2.x
findOneBy() - Sanitize email input - mongodb-odm 2.x

Time:06-17

Is this safe (from an SQL injection perspective) to do:

$email = $_POST['email'];

$user = $dm->getRepository(self::$repository)->findOneBy(array('email' => $email));

Best

edit;-

So, the string '[email protected]' comes into my method via a variable $email.

CodePudding user response:

You are safe from SQL injection because the MongoDB drivers do not speak SQL.

But beyond this, unless you use db.runCommand, there is no way to change a "find" statement (find,find_one, etc.) into an "update" or "delete" statement. No amount of variable substitution or trickery will change the basic behavior from read to anything else. In contrast, the classic cursor.execute("A SQL string") can do almost anything including adding/removing users and tables, etc. etc. and must be very carefully sanitized.

Page link:https//www.codepudding.com/other/444397.html

Prev:R shiny custom tabsets using javascript - second tab not rendering
Next:Mongodb query for upcoming dates in month/day timeframe
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding