使用 C# Driver for MongoDB 避免代码注入
我有以下代码来检查集合中是否已存在用户输入的电子邮件:
MongoDatabase authdb = DatabaseManager.GetDatabase("authdb");
var userDocuments = authdb.GetCollection<UserDocument>(UserDocument.CollectionName);
var doc = userDocuments.FindOne(new QueryDocument("email", email));
我认为使用用户提供的值(电子邮件)为各种注入提供了机会,有点像 SQL 注入。这是一个真正的问题吗?如何解决这个问题?
I have the following code that checks if a user-entered email already exists in the collection:
MongoDatabase authdb = DatabaseManager.GetDatabase("authdb");
var userDocuments = authdb.GetCollection<UserDocument>(UserDocument.CollectionName);
var doc = userDocuments.FindOne(new QueryDocument("email", email));
I'm a little that using a value (email) supplied by user is opening an opportunity for sorts of injections, kind of like SQL injection. Is it a real problem and how to approach it then?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
官方文档在这里。
http://www.mongodb.org /display/DOCS/Do+I+Have+to+Worry+About+SQL+注入
Official docs are here.
http://www.mongodb.org/display/DOCS/Do+I+Have+to+Worry+About+SQL+Injection
正如文档所述,您需要注意的最大区域是 db.eval()。驱动程序的 .eval() 方法将被转换为等效的 javascript .eval 函数。在 javascript 中使用 .eval 时要格外小心,因为它会解析并执行传递给 eval 方法的字符串表示的代码。
As the documentation states, the biggest area you need to watch out for is db.eval(). The .eval() method for the driver is going to be translated to equivalent javascript .eval function. You want to be extra careful when using .eval in javascript because it parses and executes that code represented by the string passed into the eval method.