[SERVER-4322] MongoDB Query Injection related question/queries Created: 18/Nov/11  Updated: 27/Sep/17  Resolved: 07/Jan/15

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 1.9.0
Fix Version/s: None

Type: Question Priority: Major - P3
Reporter: Saurabh Dave Assignee: Unassigned
Resolution: Done Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Windows/Linux/Freebsd


Participants:
Case:

 Description   

1. While there are API's for MongoDB that support a number of development platforms, none of these appears to support the notion of bind variable support to escape query language meta-characters that may be embedded in user-supplied data. An API enhancement that offers support for parameterized queries (A.K.A. "prepared statements") would be a welcome enhancement.



 Comments   
Comment by Andreas Nilsson [ 07/Jan/15 ]

Bind variables can indeed be used to protect against SQL injection in SQL based databases.

However I don't see a similar use case in MongoDB since there is no direct execution user supplied commands. I will go ahead and close this ticket.

saurabhdave please let me know if you have additional injection concerns.

Generated at Thu Feb 08 03:05:38 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.