Do I have to worry about SQL Injection?

996 views
Skip to first unread message

sdotsen

unread,
Feb 13, 2010, 6:14:06 PM2/13/10
to mongodb-user
I'm using codeigniter for my PHP projects. Anything in particular I
should worry about.
I have a function that I call prior to passing it through mongodb.

function _cleanInput($string) {
$new_string = preg_replace('/[^a-zA-Z0-9\s]/', '', $string);
$new_string = str_replace(" ","-",$new_string);
$new_string = strtolower($new_string);

return $new_string;
}

Kristina Chodorow

unread,
Feb 13, 2010, 7:39:40 PM2/13/10
to mongod...@googlegroups.com
No, you shouldn't have to worry about it. The only injection-type
attack would be using a key containing '\0' and that's taken care of
in PHP.

A similar vulnerability is if you're passing JavaScript to the
database: make sure you pass user input as part of the scope, not
embedded in the JavaScript. For example, if you do this:

$func = "function(x) { print('$_POST['name']'); }";

the user could post "'); db.users.drop(); print('haha" which would
turn your function into

$func = "function(x) { print(''); db.users.drop(); print('haha'); }";

So, just user MongoCode class and pass user input as part of the scope
parameter:

$func = new MongoCode("function(x) { print(name); }", array("name" =>
$_POST['name']));

> --
> You received this message because you are subscribed to the Google Groups "mongodb-user" group.
> To post to this group, send email to mongod...@googlegroups.com.
> To unsubscribe from this group, send email to mongodb-user...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/mongodb-user?hl=en.
>
>

mr.kschan

unread,
Feb 16, 2010, 1:02:34 AM2/16/10
to mongodb-user
how about considering regex injection instead?

if we would like to perform a regex search by mongodb ... i believe we
may concatenate the input into the query regex like ... /.*$input.*/
bad guy can select * from that collection with no regex protection
implemented :)

Eliot Horowitz

unread,
Feb 16, 2010, 1:04:45 AM2/16/10
to mongod...@googlegroups.com
if your'e just using the reqular query language, regex injection
wouldn't matter.

i.e
{ foo : /select * .../ }
is handled correctly because its not a string based query language, its BSON.

Mathias Stearn

unread,
Feb 16, 2010, 2:34:09 AM2/16/10
to mongod...@googlegroups.com
The two big things you need to prevent are putting untrusted code in a
javascript clause (use scope vars instead) and allowing user control
of both the key and value in a query. If a user can modify the key
they can make a query like {$where: 'evil JS code'}. In 1.3.x it will
currently fail to get the writelock, but you may not want to depend on
this behavior.

Oh, if you allow a user to specify an arbitrary collection, they could
conceivably run commands, but at that point the user would already be
pretty trusted.

On Tue, Feb 16, 2010 at 1:02 AM, mr.kschan <mr.k...@gmail.com> wrote:

mr.kschan

unread,
Feb 18, 2010, 10:47:49 PM2/18/10
to mongodb-user

On Feb 16, 2:04 pm, Eliot Horowitz <eliothorow...@gmail.com> wrote:
> if your'e just using the reqular query language, regex injection
> wouldn't matter.
>
> i.e
> { foo : /select * .../ }
> is handled correctly because its not a string based query language, its BSON.
>
>

Doesn't simply passing javascript regex is more preferable than
passing regular query?

Would like to know more about these two options.

Eliot Horowitz

unread,
Feb 18, 2010, 10:51:15 PM2/18/10
to mongod...@googlegroups.com
Don't understand your question...

You should build a regex in your native language, and then use that.

mr.kschan

unread,
Feb 20, 2010, 1:19:16 AM2/20/10
to mongodb-user

On Feb 19, 11:51 am, Eliot Horowitz <eliothorow...@gmail.com> wrote:
> Don't understand your question...
>
> You should build a regex in your native language, and then use that.

previous post mentioned to use regular query language instead of regex
to prevent injection.
My question was that ... whether passing native regex to mongo driver
will make the query faster than regular query.

Eliot Horowitz

unread,
Feb 20, 2010, 1:20:35 AM2/20/10
to mongod...@googlegroups.com
what do you mean regular query?
passing a native regex in an object filter is faster than using
db.eval for example...

Mathias Stearn

unread,
Feb 20, 2010, 1:29:14 AM2/20/10
to mongod...@googlegroups.com
regex is part of the regular query syntax. they are not two separate things.

On Sat, Feb 20, 2010 at 1:19 AM, mr.kschan <mr.k...@gmail.com> wrote:
>
>

mr.kschan

unread,
Feb 20, 2010, 11:39:24 PM2/20/10
to mongodb-user
that is to say ...

On Feb 16, 2:04 pm, Eliot Horowitz <eliothorow...@gmail.com> wrote:
> if your'e just using the reqular query language, regex injection
> wouldn't matter.
> i.e
> { foo : /select * .../ }
> is handled correctly because its not a string based query language, its BSON.

{ foo : /select * .../ } is performing the same as
{ foo : /.*pattern.*/ } ??

Eliot Horowitz

unread,
Feb 21, 2010, 7:38:21 AM2/21/10
to mongod...@googlegroups.com
It's not that they are the same, but that there is no way to do harm
with a bs regex. The problem with SQL injection is that you can change
the nature of a query. I.e. Combine results with another arbitrary
table stealing data. Here, the regex won't make any sense, but won't
hurt anything

>>>>> To post to this group, send email to mongodb-
>>>>> us...@googlegroups.com.

Guan

unread,
Feb 21, 2010, 10:02:35 AM2/21/10
to mongodb-user
On Feb 21, 7:38 am, Eliot Horowitz <eliothorow...@gmail.com> wrote:
> It's not that they are the same, but that there is no way to do harm  
> with a bs regex. The problem with SQL injection is that you can change  
> the nature of a query. I.e. Combine results with another arbitrary  
> table stealing data. Here, the regex won't make any sense, but won't  
> hurt anything

There's no way to perform harmful side effects, but if all access
control is implemented in the web app, wouldn't it be possible for an
attacker to use an evil regex to get access to data he's not supposed
to see?

Eliot Horowitz

unread,
Feb 21, 2010, 10:33:11 AM2/21/10
to mongod...@googlegroups.com
If you use a regex query for access control, then its conceivable.
But have never seen anyone do any access control that way...

> --
> You received this message because you are subscribed to the Google Groups "mongodb-user" group.
> To post to this group, send email to mongod...@googlegroups.com.
> To unsubscribe from this group, send email to mongodb-user...@googlegroups.com.

Reply all
Reply to author
Forward
0 new messages