I have experiences with securing sql injections on MYSQL, but what should I be careful on MongoDB using php driver? In most of the pages I get data via GET/POST and searching/inserting the system. I search via UDID / other fields, and can insert any string value. Also I get user's cookies via javascript.
So when GET/POST, I'm adding to each variable htmlentities function?
What would replace mysql_real_escape_string? Should I use it?
So, for example, when doing
$download = array( 'url' => $_GET['url'] );
$downloads->insert($download);
Is this OK?
Is there a way to check if a string is really a UID?
Any think else I should be aware when using MongoDB and PHP? I do get my cookies using javascript, and searching in my DB using the cookies. What about that?
So when GET/POST, I'm adding to each variable htmlentities function?
No need to. You should however, use htmlentities when outputting user-generated data to a browser, to prevent XSS attacks.
What would replace mysql_real_escape_string? Should I use it?
You shouldn't use mysql_real_escape_string as it's for MySQL. Nothing replaces this on MongoDB, the driver takes care of escaping the data for you.
Is there a way to check if a string is really a UID?
The only way is to validate it is to query MongoDB with that string and check if it exists.
You can however, validate if the format is correct:
$id = '4f1b166d4931b15415000000';
$a = new MongoId($id);
var_dump($a->{'$id'} == $id); // true
$id = 'foo';
$a = new MongoId($id);
var_dump($a->{'$id'} == $id); // false
Any think else I should be aware when using MongoDB and PHP? I do get my cookies using javascript, and searching in my DB using the cookies. What about that?
Not much. As for any web application, you are very discouraged from storing sensitive data in cookies, such as user identifiers, passwords, etc. as they can easily be tempered with and used to access parts of your application that should be restricted, or impersonate other users.
Btw i think something is missed for example
yourdomain.com/login?username=admin&passwd[$ne]=1
In Sql this looks like this
SELECT * FROM collection
WHERE username="admin",
AND passwd!=1
The way i know is valid to escape this sutiations is to know what type of data you expect and cast it.
Hope the answer was useful
Yes, you do need to escape!
Imagine code like that:
<?php
$login = $users->findOne( [
'user_id' => $_GET['uid'],
'password' => $_GET['password']
] );
?>
And the request is:
https://example.com/login?uid=3&password[$neq]=xxx
This will pass the login!!
You must to convert the GET/POST values to string.
No need to escape quotes, etc.
In your case, to prevent arrays as 'url':
$download = array( 'url' => (string)$_GET['url'] );
$downloads->insert($download);
