function _cleanInput($string) {
$new_string = preg_replace('/[^a-zA-Z0-9\s]/', '', $string);
$new_string = str_replace(" ","-",$new_string);
$new_string = strtolower($new_string);
return $new_string;
}
A similar vulnerability is if you're passing JavaScript to the
database: make sure you pass user input as part of the scope, not
embedded in the JavaScript. For example, if you do this:
$func = "function(x) { print('$_POST['name']'); }";
the user could post "'); db.users.drop(); print('haha" which would
turn your function into
$func = "function(x) { print(''); db.users.drop(); print('haha'); }";
So, just user MongoCode class and pass user input as part of the scope
parameter:
$func = new MongoCode("function(x) { print(name); }", array("name" =>
$_POST['name']));
> --
> You received this message because you are subscribed to the Google Groups "mongodb-user" group.
> To post to this group, send email to mongod...@googlegroups.com.
> To unsubscribe from this group, send email to mongodb-user...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/mongodb-user?hl=en.
>
>
if we would like to perform a regex search by mongodb ... i believe we
may concatenate the input into the query regex like ... /.*$input.*/
bad guy can select * from that collection with no regex protection
implemented :)
i.e
{ foo : /select * .../ }
is handled correctly because its not a string based query language, its BSON.
Oh, if you allow a user to specify an arbitrary collection, they could
conceivably run commands, but at that point the user would already be
pretty trusted.
On Tue, Feb 16, 2010 at 1:02 AM, mr.kschan <mr.k...@gmail.com> wrote:
On Feb 16, 2:04 pm, Eliot Horowitz <eliothorow...@gmail.com> wrote:
> if your'e just using the reqular query language, regex injection
> wouldn't matter.
>
> i.e
> { foo : /select * .../ }
> is handled correctly because its not a string based query language, its BSON.
>
>
Doesn't simply passing javascript regex is more preferable than
passing regular query?
Would like to know more about these two options.
You should build a regex in your native language, and then use that.
On Feb 19, 11:51 am, Eliot Horowitz <eliothorow...@gmail.com> wrote:
> Don't understand your question...
>
> You should build a regex in your native language, and then use that.
previous post mentioned to use regular query language instead of regex
to prevent injection.
My question was that ... whether passing native regex to mongo driver
will make the query faster than regular query.
On Sat, Feb 20, 2010 at 1:19 AM, mr.kschan <mr.k...@gmail.com> wrote:
>
>
On Feb 16, 2:04 pm, Eliot Horowitz <eliothorow...@gmail.com> wrote:
> if your'e just using the reqular query language, regex injection
> wouldn't matter.
> i.e
> { foo : /select * .../ }
> is handled correctly because its not a string based query language, its BSON.
{ foo : /select * .../ } is performing the same as
{ foo : /.*pattern.*/ } ??
>>>>> To post to this group, send email to mongodb-
>>>>> us...@googlegroups.com.
There's no way to perform harmful side effects, but if all access
control is implemented in the web app, wouldn't it be possible for an
attacker to use an evil regex to get access to data he's not supposed
to see?
> --
> You received this message because you are subscribed to the Google Groups "mongodb-user" group.
> To post to this group, send email to mongod...@googlegroups.com.
> To unsubscribe from this group, send email to mongodb-user...@googlegroups.com.