<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="content-type" content="text/html; charset=UTF-8"> <title>Security</title> </head> <body><div class="manualnavbar" style="text-align: center;"> <div class="prev" style="text-align: left; float: left;"><a href="mongo.updates.html">Updates</a></div> <div class="next" style="text-align: right; float: right;"><a href="mongo.trouble.html">Troubleshooting</a></div> <div class="up"><a href="mongo.manual.html">Manual</a></div> <div class="home"><a href="index.html">PHP Manual</a></div> </div><hr /><div id="mongo.security" class="chapter"> <h1>Security</h1> <div class="section"> <h2 class="title">Request Injection Attacks</h2> <p class="para"> If you are passing <em>$_GET</em> parameters to your queries, make sure that they are cast to strings first. Users can insert associative arrays in GET requests, which could then become unwanted $-queries. </p> <p class="para"> A fairly innocuous example: suppose you are looking up a user's information with the request <em class="emphasis">http://www.example.com?username=bob</em>. Your application does the query <em>$collection->find(array("username" => $_GET['username']))</em>. </p> <p class="para"> Someone could subvert this by getting <em class="emphasis">http://www.example.com?username[$ne]=foo</em>, which PHP will magically turn into an associative array, turning your query into <em>$collection->find(array("username" => array('$ne' => "foo")))</em>, which will return all users not named "foo" (all of your users, probably). </p> <p class="para"> This is a fairly easy attack to defend against: make sure $_GET's parameters are the type you expect before you send them to the database (cast them to strings, in this case). </p> <p class="para"> Note that this type of attack can be used with any databases interation that locates a document, including updates, upserts, find-and-modifies, and removes. </p> <p class="para"> Thanks to <a href="http://www.idontplaydarts.com/2010/07/mongodb-is-vulnerable-to-sql-injection-in-php-at-least/" class="link external">» Phil</a> for pointing this out. </p> <p class="para"> See <a href="http://docs.mongodb.org/manual/security/" class="link external">» the main documentation</a> for more information about SQL-injection-like issues with MongoDB. </p> </div> <div class="section"> <h2 class="title">Script Injection Attacks</h2> <p class="para"> If you are using JavaScript, make sure that any variables that cross the PHP- to-JavaScript boundry are passed in the <em>scope</em> field of <a href="class.mongocode.html" class="classname">MongoCode</a>, not interpolated into the JavaScript string. This can come up when using <span class="function"><a href="mongodb.execute.html" class="function">MongoDB::execute()</a></span>, <em>$where</em> clauses, MapReduces, group-bys, and any other time you may pass JavaScript into the database. </p> <blockquote class="note"><p><strong class="note">Note</strong>: <p class="para"> MapReduce ignore the <em>scope</em> field of <a href="class.mongocode.html" class="classname">MongoCode</a>, but there is a <em>scope</em> option on the command that can be used instead. </p> </p></blockquote> <p class="para"> For example, suppose we have some JavaScript to greet a user in the database logs. We could do: </p> <div class="example-contents"> <div class="phpcode"><code><span style="color: #000000"> <span style="color: #0000BB"><?php<br /><br /></span><span style="color: #FF8000">// don't do this!<br /><br /></span><span style="color: #0000BB">$username </span><span style="color: #007700">= </span><span style="color: #0000BB">$_POST</span><span style="color: #007700">[</span><span style="color: #DD0000">'username'</span><span style="color: #007700">];<br /></span><span style="color: #0000BB">$db</span><span style="color: #007700">-></span><span style="color: #0000BB">execute</span><span style="color: #007700">(</span><span style="color: #DD0000">"print('Hello, </span><span style="color: #0000BB">$username</span><span style="color: #DD0000">!');"</span><span style="color: #007700">);<br /><br /></span><span style="color: #0000BB">?></span> </span> </code></div> </div> <p class="para"> However, what if a malicious user passes in some JavaScript? </p> <div class="example-contents"> <div class="phpcode"><code><span style="color: #000000"> <span style="color: #0000BB"><?php<br /><br /></span><span style="color: #FF8000">// don't do this!<br /><br />// $username is set to "'); db.users.drop(); print('"<br /></span><span style="color: #0000BB">$db</span><span style="color: #007700">-></span><span style="color: #0000BB">execute</span><span style="color: #007700">(</span><span style="color: #DD0000">"print('Hello, </span><span style="color: #0000BB">$username</span><span style="color: #DD0000">!');"</span><span style="color: #007700">);<br /><br /></span><span style="color: #0000BB">?></span> </span> </code></div> </div> <p class="para"> Now MongoDB executes the JavaScript string <em>"print('Hello, '); db.users.drop(); print('!');"</em>. This attack is easy to avoid: use <em>scope</em> to pass variables from PHP to JavaScript: </p> <div class="example-contents"> <div class="phpcode"><code><span style="color: #000000"> <span style="color: #0000BB"><?php<br /><br />$scope </span><span style="color: #007700">= array(</span><span style="color: #DD0000">"user" </span><span style="color: #007700">=> </span><span style="color: #0000BB">$username</span><span style="color: #007700">);<br /></span><span style="color: #0000BB">$db</span><span style="color: #007700">-></span><span style="color: #0000BB">execute</span><span style="color: #007700">(new </span><span style="color: #0000BB">MongoCode</span><span style="color: #007700">(</span><span style="color: #DD0000">"print('Hello, '+user+'!');"</span><span style="color: #007700">, </span><span style="color: #0000BB">$scope</span><span style="color: #007700">));<br /><br /></span><span style="color: #0000BB">?></span> </span> </code></div> </div> <p class="para"> This adds a variable <em>user</em> to the JavaScript scope. Now if someone tries to send malicious code, MongoDB will harmlessly print <em>Hello, '); db.dropDatabase(); print('!</em>. </p> <p class="para"> Using <em>scope</em> helps prevent malicious input from being executed by the database. However, you must make sure that your code does not turn around and execute the input anyway! For example, never use the JavaScript <em>eval</em> function on user input: </p> <div class="example-contents"> <div class="cdata"><pre> <?php // don't do this! // $jsShellInput is "db.users.drop();" $scope = array("input" => $jsShellInput); $db->execute(new MongoCode("eval(input);", $scope)); ?> </pre></div> </div> <p class="para"> Always use <em>scope</em> and never allow the database to execute user input as code. </p> </div> </div> <hr /><div class="manualnavbar" style="text-align: center;"> <div class="prev" style="text-align: left; float: left;"><a href="mongo.updates.html">Updates</a></div> <div class="next" style="text-align: right; float: right;"><a href="mongo.trouble.html">Troubleshooting</a></div> <div class="up"><a href="mongo.manual.html">Manual</a></div> <div class="home"><a href="index.html">PHP Manual</a></div> </div></body></html>