Skip to main content

How MongoDB survives From SQL or Query Injection

As We know SQL injection is one of the most famous way people try to hack the SQL based applications.I came to know about interesting thing how MongoDB survives from this SQL injection while reading the mongodb docs.

For SQL based applications most of the drivers support accessing SQL data using query as String which makes the access vulnerable.
For Example in Java we use to get the data from SQL as follows,


String query = "SELECT ZipCode,State FROM zipcodes WHERE City = '+city+' AND State = '+state+'";
connection = DriverManager.getConnection(jdbcurl, username, password);
Statement stmt = connection.createStatement();
ResultSet rs = stmt.executeQuery(query);


In case of MongoDB there is no vulnerability because all the drivers creates a BSON object for the given Query instead of calling the DB as a string itself.

For MongoDb in Java QueryBuilder is used to build Queries for accesing MongoDb Data,

DBObject query = QueryBuilder.start("City").is(city).and("State").is(state).get();

As a client program assembles a query in MongoDB, it builds a BSON object, not a string. Thus traditional SQL injection attacks are not a problem. 
MongoDB represents queries as BSON objects. Typically client libraries provide a convenient, injection free, process to build these objects.
Labels:

Comments

  1. BMJanuary 31, 2013 at 2:50 AM

    This comment has been removed by a blog administrator.

    ReplyDelete
  2. BMJanuary 31, 2013 at 2:54 AM

    This comment has been removed by a blog administrator.

    ReplyDelete

Post a Comment

Popular posts from this blog

Three Database Revolutions

There are three database revolutions that happened so far.   The first revolution was driven by the emergence of the electronic computer. The second revolution by the emergence of the relational database. The third revolution has resulted in an explosion of non-relational database alternatives driven by the demands of modern applications that require global scope and continuous availability. Lets have a look on these three waves of database technologies and discuss the market and technology forces leading to today’s next generation databases. 1950-1972 (Pre - Relational) 1951 - Magnetic Tape 1952 - Magnetic Disk 1961 - ISAM 1965 - Hierarchical Model 1968 - IMS 1969 - Network Model 1971 - IDMS 1972 - 2005 (Relational) 1970 - Codd's Paper 1974 - System R 1978 - Oracle 1980 - Commercial Ingres 1981 - Informix 1984 - DB2 1987 - Sybase 1989 - Postgres 1989 - SQL Server 1995 - MySQL 2005 - 2015 ( The Next Generation)  2003 - MarkLogic 2004 ...
Post a Comment
Read more

Why Nooooo SQL .........???

                       Relational databases have been around for many decades and are the database technology of choice for most traditional data-intensive storage and retrieval applications. Retrievals are usually accomplished using SQL, a declarative query language. Relational database systems are generally efficient unless the data contains many relationships requiring joins of large tables. Recently there has been much interest in data stores that do not use SQL exclusively, the so called NoSQL movement. Examples are Google’s BigTable and Facebook’s Cassandra . Lets have a look at NoSQL  vs  MySQL (common relational database system).   When to go for  NOSQL ?? In recent years, software developers have been investigating storage alternatives to relational databases. NoSQL is a blanket term for some of those new systems. Cassandra,BigTable, CouchDB, Project Voldemort, and Dynamo are all...
Post a Comment
Read more