问题描述

Java中有一个常见的模式可以避免mongoDB注入攻击吗？

is there a common pattern in Java to avoid mongoDB injection attacks?

谢谢

推荐答案

使用其中一个支持的驱动程序。不要将字符串反序列化为JSON并将它们作为查询传递，例如不要这样做（在Ruby中）：

Use one of the supported drivers. Don't deserialize strings as JSON and pass them as queries, e.g. dont' do this (in Ruby):

collection.send(query_type, JSON.parse(parameters))

其中 query_type 和参数是来自表单的字符串。尽管如此，你必须犯下愚蠢的罪行。

where query_type and parameters are strings coming from a form. You would have to be criminally stupid to do this though.

由于没有这样的查询语言，因此没有相同的注射空间。可能出现SQL注入攻击的部分原因是要执行的操作（ SELECT ， UPDATE ， DELETE 等）是查询字符串的一部分。 MongoDB和许多其他较新的数据库不能像这样工作，而是动作是API的一部分。 SQL驱动程序只有查询，在某些情况下 exec ，MongoDB有 find ，更新，插入和删除。

Since there's no query language as such there's not the same room for injection. Part of the reason that SQL injection attacks are possible is that the action to take (SELECT, UPDATE, DELETE, etc.) is part of the query string. MongoDB, and many other newer databases, don't work like that, instead the action is a part of the API. Where SQL drivers only have query and in some cases exec, MongoDB has find, update, insert and remove.

这篇关于mongoDB注入的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！