Do I need to sanitize user input before inserting in MongoDB (MongoDB+Node js combo)

Question

I\'m using MongoDB with NodeJS and am wondering if I need to sanitize data before inserting/updating database documents. Its hard to find definite answer and I\'m wondering if t

Answer 1

If you store your data as String and you are not parsing it to execute Mongo command, then there is nothing much to worry about it.

Nice article on security

http://cr.yp.to/qmail/guarantee.html

The only problem occurs when you are retrieving the user input, and you parse that input to execute the Mongo command, here you will need to take care to sanitize the input, or else you will get attack.

There is a npm package to do that for you

https://www.npmjs.com/package/mongo-sanitize

and nice article on this too

https://thecodebarbarian.wordpress.com/2014/09/04/defending-against-query-selector-injection-attacks/

Answer 2

Yes, you do. For more information check this out; https://www.npmjs.com/package/content-filter

Also native escape() method might be used for to protect the database.

Run the code snippet below to see the results.

let a = "{$gt:25}"
console.log(a)
console.log(escape(a))