Hacker News new | past | comments | ask | show | jobs | submit login

"NoSQL Doesn’t Mean No SQL Injection"

I lol'd. Mind if I use that?

MongoDB is harder to secure and filter because you have all of Javascript to worry about, rather than just SQL (and where most servers can escape arguments themselves through prepared statements etc.).

SQL databases are also well understood (for eg. in MS-SQL I can stop the remainder of the statement from executing with '--'). MongoDB with its JS engine is still a big unknown.




Similarly:

"...secret squirrel double-plus alpha unrelease..."

Mind if I use that? It would be a terrific title for an animal fighting game I've been itching to make.


It's a snowclone of a line from Animal House.


...which also references 1984 and a Hanna Barbera cartoon. Of course it's less funny now that I've analyzed it, but still a good joke.


I haven't used MongoDB, but I think there is a fundamental difference in the way data is updated. I don't think you have to escape JavaScript in the user input, because you don't update by submitting a single String to execute. The user input is just data.


It depends on the client driver. They have insert, delete, save etc. which send those commands with the user supplied data encoded, but most of the drivers also have an exec or execute which dumps what the user enters straight onto the db.

for eg.

http://www.php.net/manual/en/mongodb.execute.php

"This method allows you to run arbitary JavaScript on the database."


Most Mongo queries don't involve javascript, they're abusing a special operator.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: