Do I need to sanitize user input before inserting in MongoDB (MongoDB+Node js combo)

前端 未结 2 911
清歌不尽
清歌不尽 2021-02-07 05:51

I\'m using MongoDB with NodeJS and am wondering if I need to sanitize data before inserting/updating database documents. Its hard to find definite answer and I\'m wondering if t

相关标签:
2条回答
  • 2021-02-07 06:15

    If you store your data as String and you are not parsing it to execute Mongo command, then there is nothing much to worry about it.

    Nice article on security

    http://cr.yp.to/qmail/guarantee.html

    The only problem occurs when you are retrieving the user input, and you parse that input to execute the Mongo command, here you will need to take care to sanitize the input, or else you will get attack.

    There is a npm package to do that for you

    https://www.npmjs.com/package/mongo-sanitize

    and nice article on this too

    https://thecodebarbarian.wordpress.com/2014/09/04/defending-against-query-selector-injection-attacks/

    0 讨论(0)
  • 2021-02-07 06:36

    Yes, you do. For more information check this out; https://www.npmjs.com/package/content-filter

    Also native escape() method might be used for to protect the database.

    Run the code snippet below to see the results.

    let a = "{$gt:25}"
    console.log(a)
    console.log(escape(a))

    0 讨论(0)
提交回复
热议问题