Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Security concerns while using MongoDB PHP driver

Tags:

security

php

mongodb

I have experiences with securing sql injections on MYSQL, but what should I be careful on MongoDB using php driver? In most of the pages I get data via GET/POST and searching/inserting the system. I search via UDID / other fields, and can insert any string value. Also I get user's cookies via javascript.

  1. So when GET/POST, I'm adding to each variable htmlentities function?

  2. What would replace mysql_real_escape_string? Should I use it?

So, for example, when doing

$download = array( 'url' => $_GET['url'] );

$downloads->insert($download);

Is this OK?

  1. Is there a way to check if a string is really a UID?

  2. Any think else I should be aware when using MongoDB and PHP? I do get my cookies using javascript, and searching in my DB using the cookies. What about that?

like image 689
Eli_Rozen Avatar asked Jan 21 '12 19:01

Eli_Rozen

2 Answers

So when GET/POST, I'm adding to each variable htmlentities function?

No need to. You should however, use htmlentities when outputting user-generated data to a browser, to prevent XSS attacks.

What would replace mysql_real_escape_string? Should I use it?

You shouldn't use mysql_real_escape_string as it's for MySQL. Nothing replaces this on MongoDB, the driver takes care of escaping the data for you.

Is there a way to check if a string is really a UID?

The only way is to validate it is to query MongoDB with that string and check if it exists.

You can however, validate if the format is correct:

$id = '4f1b166d4931b15415000000';
$a = new MongoId($id);
var_dump($a->{'$id'} == $id); // true

$id = 'foo';
$a = new MongoId($id);
var_dump($a->{'$id'} == $id); // false

Any think else I should be aware when using MongoDB and PHP? I do get my cookies using javascript, and searching in my DB using the cookies. What about that?

Not much. As for any web application, you are very discouraged from storing sensitive data in cookies, such as user identifiers, passwords, etc. as they can easily be tempered with and used to access parts of your application that should be restricted, or impersonate other users.

like image 140
netcoder Avatar answered Oct 26 '22 15:10

netcoder

Btw i think something is missed for example

    yourdomain.com/login?username=admin&passwd[$ne]=1

In Sql this looks like this

    SELECT * FROM collection
    WHERE username="admin",
    AND passwd!=1

The way i know is valid to escape this sutiations is to know what type of data you expect and cast it. Hope the answer was useful

like image 24
gprusiiski Avatar answered Oct 26 '22 14:10

gprusiiski
Sign in to Comment

Related questions

Custom hooks in WordPress across plugins
Should controllers in MVC web applications be unit-testable?
Integrate a Zend application into Drupal 6 / 7
How do I apply URL normalization rules in PHP?
Using GD in PHP, how can I make a transparent PNG watermark on PNG and GIF files ? (JPG files work fine)
PHP: Remember Me and security?
Creating a custom JSON response object with Zend Action Helper ContextSwitch
Is there any php CalDav client library?
How can I have a video chat on my site like Gmail? [closed]
File uploads; How to utilize "chunking"?
Creating a basic web services in php
Using multiple PregReplace filters on a Zend Form element
Programmatically setting default media gallery image for Store View (Magento)
How do you suggest unique usernames to user in PHP?
Sending POST Request to Secured Action
How can I have my CMS upgrade itself?
What does a good Phing workflow look like?
Are ICU resource bundles meant for message translation resources
PHP: Static Readonly property in class
Simpler way to add the XDEBUG_SESSION_START cookie/variable? [closed]

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!