<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="content-type" content="text/html; charset=UTF-8"> <title>Request Injection Attacks</title> </head> <body><div class="manualnavbar" style="text-align: center;"> <div class="prev" style="text-align: left; float: left;"><a href="mongodb.security.html">Security</a></div> <div class="next" style="text-align: right; float: right;"><a href="mongodb.security.script_injection.html">Script Injection Attacks</a></div> <div class="up"><a href="mongodb.security.html">Security</a></div> <div class="home"><a href="index.html">PHP Manual</a></div> </div><hr /><div id="mongodb.security.request_injection" class="article"> <h1>Request Injection Attacks</h1> <p class="para"> If you are passing <em>$_GET</em> (or <em>$_POST</em>) parameters to your queries, make sure that they are cast to strings first. Users can insert associative arrays in GET and POST requests, which could then become unwanted $-queries. </p> <p class="para"> A fairly innocuous example: suppose you are looking up a user's information with the request <em class="emphasis">http://www.example.com?username=bob</em>. Your application creates the query <em>$q = new \MongoDB\Driver\Query( [ 'username' => $_GET['username'] ])</em>. </p> <p class="para"> Someone could subvert this by getting <em class="emphasis">http://www.example.com?username[$ne]=foo</em>, which PHP will magically turn into an associative array, turning your query into <em>$q = new \MongoDB\Driver\Query( [ 'username' => [ '$ne' => 'foo' ] ] )</em>, which will return all users not named "foo" (all of your users, probably). </p> <p class="para"> This is a fairly easy attack to defend against: make sure $_GET and $_POST parameters are the type you expect before you send them to the database. PHP has the <span class="function"><a href="function.filter-var.html" class="function">filter_var()</a></span> function to assist with this. </p> <p class="para"> Note that this type of attack can be used with any database interaction that locates a document, including updates, upserts, deletes, and findAndModify commands. </p> <p class="para"> See <a href="https://docs.mongodb.com/manual/security/" class="link external">» the main documentation</a> for more information about SQL-injection-like issues with MongoDB. </p> </div> <hr /><div class="manualnavbar" style="text-align: center;"> <div class="prev" style="text-align: left; float: left;"><a href="mongodb.security.html">Security</a></div> <div class="next" style="text-align: right; float: right;"><a href="mongodb.security.script_injection.html">Script Injection Attacks</a></div> <div class="up"><a href="mongodb.security.html">Security</a></div> <div class="home"><a href="index.html">PHP Manual</a></div> </div></body></html>
