问题描述

当尝试提出这个问题时，我得到了这个，它使用的是Java，并且在回答中举了一个Ruby的例子，似乎只有在使用Json时才进行注入?因为我公开了要在NoSQL和SQL之间进行比较的地方，并且我想说:很高兴，nosql没有SQL注入，因为它不是sql ...

when trying to make this question, i got this one it is using Java, and in the answer it gave a Ruby example, and it seems that the injection happens only when using Json? because i've an expose where i'll try to compare between NoSQL and SQL and i was trying to said: be happy, nosql has no sql injection since it's not sql ...

能请你解释一下吗?

• 使用Python驱动程序(pymongo)时如何进行sql注入.
• 如何避免这种情况.
• 使用旧方法sql注入进行比较，并使用登录表单中的注释.

推荐答案

在MongoDB中注入有两个问题:

There are a couple of concerns with injection in MongoDB:

• $where JS注入-从用户输入构建JavaScript函数可能导致查询的行为与您期望的不同.通常，JavaScript函数不是编程MongoDB查询的负责任方法，强烈建议除非绝对必要，否则不要使用它们.
• 操作员注入-如果您允许用户(从正面)构建$or或其他内容，他们可以轻松地操纵此功能来更改您的查询.如果仅从一组文本字段中获取数据并根据该数据手动构建$or，则这当然不适用.
• JSON注入-最近有很多人试图将从某些客户端源发送的完整JSON文档(讽刺地在JAVA中首先看到)转换为文档，以插入到MongoDB中.我什至不需要研究为什么这很糟糕.字段的JSON值很好，因为MongoDB当然是BSON.

• $where JS injection - Building JavaScript functions from user input can result in a query that can behave differently to what you expect. JavaScript functions in general are not a responsible method to program MongoDB queries and it is highly recommended to not use them unless absolutely needed.
• Operator injection - If you allow users to build (from the front) a $or or something they could easily manipulate this ability to change your queries. This of course does not apply if you just take data from a set of text fields and manually build a $or from that data.
• JSON injection - Quite a few people recently have been trying to convert a full JSON document sent (saw this first in JAVA, ironically) from some client side source into a document for insertion into MongoDB. I shouldn't need to even go into why this is bad. A JSON value for a field is fine since, of course, MongoDB is BSON.

正如@Burhan所说，注射来自未经消毒的输入.幸运的是，对于MongoDB，它具有面向对象的查询.

As @Burhan stated injection comes from none sanitized input. Fortunately for MongoDB it has object orientated querying.

SQL注入的问题来自单词"SQL". SQL是由字符串组成的查询语言.另一方面，MongoDB实际上使用BSON文档来指定查询(对象).如果您遵守我上面给您的基本常识规则，那么您的攻击媒介绝对不会出现问题:

The problem with SQL injection comes from the word "SQL". SQL is a querying language built up of strings. On the other hand MongoDB actually uses a BSON document to specify a query (an Object). If you keep to the basic common sense rules I gave you above you should never have a problem with an attack vector like:

SELECT * FROM tbl_user WHERE ='';DROP TABLE;

此外，MongoDB每个命令atm仅支持一项操作(不使用eval，尽管绝对不要这样做)，所以无论如何都无法工作...

Also MongoDB only supports one operation per command atm (without using eval, don't ever do that though) so that wouldn't work anyway...

我应该补充一点，这不适用于仅数据验证注入.

I should add that this does not apply to data validation only injection.

这篇关于Python中的NoSql注入的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！