Details
-
Bug
-
Resolution: Done
-
Major - P3
-
None
-
None
-
None
-
*Location*: https://docs.mongodb.com/manual/faq/fundamentals/#faq-dollar-sign-escaping
*User-Agent*: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
*Referrer*: https://github.com/scitran/core/issues/134
*Screen Resolution*: 1920 x 1080
Description
Hi,
Previously official mongodb documentation instructed developers to replace "." (dot) and "$" (dollar sign) in user supplied input with unicode equivalents. This was relevant for update() and where() queries, to prevent "NoSQL Injection". I can no longer find this section of the mongodb docs. I now see that there is instead a section describing constructing a BSON object representing the query, using a mongodb client library. Is the previous explanation of replacing "$" and "." with unicode equivalents not necessary because if the query is constructed by formatting a BSON object special characters are escaped? How is this different from passing a JSON object to the query function? To the best of my knowledge creating BSON objects has been supported by client libraries for some time, was the old strategy simply inferior and so it has been removed, or did something change? Thank you for the support!