[DOCS-9649] Comment on: "manual/faq/fundamentals.txt" Created: 14/Dec/16 Updated: 26/Jul/18 Resolved: 14/Dec/17 |
|
| Status: | Closed |
| Project: | Documentation |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | colton leekley-winslow | Assignee: | Kay Kim (Inactive) |
| Resolution: | Done | Votes: | 0 |
| Labels: | collector-298ba4e7 | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
Location: https://docs.mongodb.com/manual/faq/fundamentals/#faq-dollar-sign-escaping |
||
| Participants: | |
| Days since reply: | 6 years, 8 weeks, 6 days ago |
| Description |
|
Hi, Previously official mongodb documentation instructed developers to replace "." (dot) and "$" (dollar sign) in user supplied input with unicode equivalents. This was relevant for update() and where() queries, to prevent "NoSQL Injection". I can no longer find this section of the mongodb docs. I now see that there is instead a section describing constructing a BSON object representing the query, using a mongodb client library. Is the previous explanation of replacing "$" and "." with unicode equivalents not necessary because if the query is constructed by formatting a BSON object special characters are escaped? How is this different from passing a JSON object to the query function? To the best of my knowledge creating BSON objects has been supported by client libraries for some time, was the old strategy simply inferior and so it has been removed, or did something change? Thank you for the support! |
| Comments |
| Comment by Kay Kim (Inactive) [ 14/Dec/17 ] |
|
I believe the comment should address the question. Feel free to reopen/create a new ticket. |
| Comment by Kay Kim (Inactive) [ 14/Dec/16 ] |
|
Hi Colton – So, it was just a bit of housekeeping by the docs team. |