[SERVER-4322] MongoDB Query Injection related question/queries Created: 18/Nov/11 Updated: 27/Sep/17 Resolved: 07/Jan/15 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | 1.9.0 |
| Fix Version/s: | None |
| Type: | Question | Priority: | Major - P3 |
| Reporter: | Saurabh Dave | Assignee: | Unassigned |
| Resolution: | Done | Votes: | 1 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
Windows/Linux/Freebsd |
||
| Participants: | |
| Case: | (copied to CRM) |
| Description |
|
1. While there are API's for MongoDB that support a number of development platforms, none of these appears to support the notion of bind variable support to escape query language meta-characters that may be embedded in user-supplied data. An API enhancement that offers support for parameterized queries (A.K.A. "prepared statements") would be a welcome enhancement. |
| Comments |
| Comment by Andreas Nilsson [ 07/Jan/15 ] |
|
Bind variables can indeed be used to protect against SQL injection in SQL based databases. However I don't see a similar use case in MongoDB since there is no direct execution user supplied commands. I will go ahead and close this ticket. saurabhdave please let me know if you have additional injection concerns. |