我是否需要在插入 MongoDB 之前清理用户输入(MongoDB+Node js 组合) [英] Do I need to sanitize user input before inserting in MongoDB (MongoDB+Node js combo)
问题描述
我将 MongoDB 与 NodeJS 一起使用,想知道在插入/更新数据库文档之前是否需要清理数据.很难找到明确的答案,我想知道是否有任何 Node 模块可以很好地做到这一点,或者我需要去除字符串中所有出现的 $ 或者根本不需要担心这个.我知道 PHP 有漏洞,但我使用的是 Node/Mongo(本机驱动程序)组合,但仍然不确定是否需要清理用户输入.
I'm using MongoDB with NodeJS and am wondering if I need to sanitize data before inserting/updating database documents. Its hard to find definite answer and I'm wondering if there are any Node modules that do it nicely or I need to strip all occurences of $ in strings or simply no need to worry about this. I know that PHP has holes but I'm using Node/Mongo (native driver) combo but still not sure if I need to do any cleaning of user input.
推荐答案
如果你将数据存储为 String 并且你没有解析它来执行 Mongo 命令,那么没有什么可担心的.
If you store your data as String and you are not parsing it to execute Mongo command, then there is nothing much to worry about it.
关于安全的好文章
http://cr.yp.to/qmail/guarantee.html
唯一的问题是当您检索用户输入并解析该输入以执行 Mongo 命令时,您需要注意清理输入,否则您将受到攻击.
The only problem occurs when you are retrieving the user input, and you parse that input to execute the Mongo command, here you will need to take care to sanitize the input, or else you will get attack.
有一个 npm 包可以为您做到这一点
There is a npm package to do that for you
https://www.npmjs.com/package/mongo-sanitize
还有关于这个的好文章
这篇关于我是否需要在插入 MongoDB 之前清理用户输入(MongoDB+Node js 组合)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
