I have experiences with securing sql injections on MYSQL, but what should I be careful on MongoDB using php driver? In most of the pages I get data via GET/POST and searching/inserting the system. I search via UDID / other fields, and can insert any string value. Also I get user's cookies via javascript.
So when GET/POST, I'm adding to each variable htmlentities function?
What would replace mysql_real_escape_string? Should I use it?
So, for example, when doing
$download = array( 'url' => $_GET['url'] );
$downloads->insert($download);
Is this OK?
Is there a way to check if a string is really a UID?
Any think else I should be aware when using MongoDB and PHP? I do get my cookies using javascript, and searching in my DB using the cookies. What about that?
Yes, you do need to escape!
Imagine code like that:
And the request is:
This will pass the login!!
You must to convert the GET/POST values to string.
No need to escape quotes, etc.
In your case, to prevent arrays as 'url':
No need to. You should however, use
htmlentities
when outputting user-generated data to a browser, to prevent XSS attacks.You shouldn't use
mysql_real_escape_string
as it's for MySQL. Nothing replaces this on MongoDB, the driver takes care of escaping the data for you.The only way is to validate it is to query MongoDB with that string and check if it exists.
You can however, validate if the format is correct:
Not much. As for any web application, you are very discouraged from storing sensitive data in cookies, such as user identifiers, passwords, etc. as they can easily be tempered with and used to access parts of your application that should be restricted, or impersonate other users.
Btw i think something is missed for example
In Sql this looks like this
The way i know is valid to escape this sutiations is to know what type of data you expect and cast it. Hope the answer was useful