Skip to main content

How MongoDB survives From SQL or Query Injection

As We know SQL injection is one of the most famous way people try to hack the SQL based applications.I came to know about interesting thing how MongoDB survives from this SQL injection while reading the mongodb docs.

For SQL based applications most of the drivers support accessing SQL data using query as String which makes the access vulnerable.
For Example in Java we use to get the data from SQL as follows,


String query = "SELECT ZipCode,State FROM zipcodes WHERE City = '+city+' AND State = '+state+'";
connection = DriverManager.getConnection(jdbcurl, username, password);
Statement stmt = connection.createStatement();
ResultSet rs = stmt.executeQuery(query);


In case of MongoDB there is no vulnerability because all the drivers creates a BSON object for the given Query instead of calling the DB as a string itself.

For MongoDb in Java QueryBuilder is used to build Queries for accesing MongoDb Data,

DBObject query = QueryBuilder.start("City").is(city).and("State").is(state).get();

As a client program assembles a query in MongoDB, it builds a BSON object, not a string. Thus traditional SQL injection attacks are not a problem. 
MongoDB represents queries as BSON objects. Typically client libraries provide a convenient, injection free, process to build these objects.
Labels:

Comments

  1. BMJanuary 31, 2013 at 2:50 AM

    This comment has been removed by a blog administrator.

    ReplyDelete
  2. BMJanuary 31, 2013 at 2:54 AM

    This comment has been removed by a blog administrator.

    ReplyDelete

Post a Comment

Popular posts from this blog

Three Database Revolutions

There are three database revolutions that happened so far.   The first revolution was driven by the emergence of the electronic computer. The second revolution by the emergence of the relational database. The third revolution has resulted in an explosion of non-relational database alternatives driven by the demands of modern applications that require global scope and continuous availability. Lets have a look on these three waves of database technologies and discuss the market and technology forces leading to today’s next generation databases. 1950-1972 (Pre - Relational) 1951 - Magnetic Tape 1952 - Magnetic Disk 1961 - ISAM 1965 - Hierarchical Model 1968 - IMS 1969 - Network Model 1971 - IDMS 1972 - 2005 (Relational) 1970 - Codd's Paper 1974 - System R 1978 - Oracle 1980 - Commercial Ingres 1981 - Informix 1984 - DB2 1987 - Sybase 1989 - Postgres 1989 - SQL Server 1995 - MySQL 2005 - 2015 ( The Next Generation)  2003 - MarkLogic 2004 - Map
Post a Comment
Read more

Comparison of Popular NoSql databases (MongoDb,CouchDb,Hbase,Neo4j,Cassandra)

There are many SQL databases so far.But i personally feel the 15 years history of SQL coming to an end as everyone is moving to an era of BigData . As experts say SQL databases are not a best fit for Big Data No Sql databases came into picture as a best fit for this which provides more flexibility in storing data. I just want to compare few popular NoSql databases that are available at this point of time.Few well known NoSql databases are MongoDb Cassandra Hbase CouchDb Neo4j NoSql databases differ each other more than the way Sql databases differ from each other.I think its one's responsibility to choose the appropriate NoSql database for their application based on their use case.Lets do a quick comparison of these databases. MongoDb Written in  :  c++ Main point : Retains some friendly  properties of SQL (Query, Index) Licence : AGPL(Drivers : Apache) Protocol : BSON (Binary JSON) Replication : Master/Slave Replication  and automatic failover via Replica Se
Post a Comment
Read more