Security concerns while using MongoDB PHP driver

2020-07-06 08:32发布

I have experiences with securing sql injections on MYSQL, but what should I be careful on MongoDB using php driver? In most of the pages I get data via GET/POST and searching/inserting the system. I search via UDID / other fields, and can insert any string value. Also I get user's cookies via javascript.

  1. So when GET/POST, I'm adding to each variable htmlentities function?

  2. What would replace mysql_real_escape_string? Should I use it?

So, for example, when doing

$download = array( 'url' => $_GET['url'] );

$downloads->insert($download); 

Is this OK?

  1. Is there a way to check if a string is really a UID?

  2. Any think else I should be aware when using MongoDB and PHP? I do get my cookies using javascript, and searching in my DB using the cookies. What about that?

3条回答
beautiful°
2楼-- · 2020-07-06 08:48

Yes, you do need to escape!

Imagine code like that:

<?php
$login = $users->findOne( [
    'user_id' => $_GET['uid'],
    'password' => $_GET['password']
] );
?>

And the request is:

https://example.com/login?uid=3&password[$neq]=xxx

This will pass the login!!
You must to convert the GET/POST values to string.
No need to escape quotes, etc.

In your case, to prevent arrays as 'url':

$download = array( 'url' => (string)$_GET['url'] );
$downloads->insert($download); 
查看更多
做自己的国王
3楼-- · 2020-07-06 09:01

So when GET/POST, I'm adding to each variable htmlentities function?

No need to. You should however, use htmlentities when outputting user-generated data to a browser, to prevent XSS attacks.

What would replace mysql_real_escape_string? Should I use it?

You shouldn't use mysql_real_escape_string as it's for MySQL. Nothing replaces this on MongoDB, the driver takes care of escaping the data for you.

Is there a way to check if a string is really a UID?

The only way is to validate it is to query MongoDB with that string and check if it exists.

You can however, validate if the format is correct:

$id = '4f1b166d4931b15415000000';
$a = new MongoId($id);
var_dump($a->{'$id'} == $id); // true

$id = 'foo';
$a = new MongoId($id);
var_dump($a->{'$id'} == $id); // false

Any think else I should be aware when using MongoDB and PHP? I do get my cookies using javascript, and searching in my DB using the cookies. What about that?

Not much. As for any web application, you are very discouraged from storing sensitive data in cookies, such as user identifiers, passwords, etc. as they can easily be tempered with and used to access parts of your application that should be restricted, or impersonate other users.

查看更多
Lonely孤独者°
4楼-- · 2020-07-06 09:04

Btw i think something is missed for example

    yourdomain.com/login?username=admin&passwd[$ne]=1

In Sql this looks like this

    SELECT * FROM collection
    WHERE username="admin",
    AND passwd!=1

The way i know is valid to escape this sutiations is to know what type of data you expect and cast it. Hope the answer was useful

查看更多
登录 后发表回答