Comments on: Mongodb is vulnerable to SQL injection in PHP at least http://www.idontplaydarts.com/2010/07/mongodb-is-vulnerable-to-sql-injection-in-php-at-least/ PHP & LAMP Stack Security Tue, 31 Jan 2012 14:07:48 +0000 hourly 1 By: witty http://www.idontplaydarts.com/2010/07/mongodb-is-vulnerable-to-sql-injection-in-php-at-least/#comment-1071 witty Sun, 01 Jan 2012 16:15:34 +0000 http://www.idontplaydarts.com/?p=22#comment-1071 well Andrew , But where can we find the code of the functions : get_string() and/or get() I can't find them in the http://php.net/manual/ ! well Andrew ,
But where can we find the code of the functions :
get_string()
and/or
get()

I can’t find them in the http://php.net/manual/ !

]]> By: Andrew http://www.idontplaydarts.com/2010/07/mongodb-is-vulnerable-to-sql-injection-in-php-at-least/#comment-163 Andrew Tue, 05 Jul 2011 08:14:34 +0000 http://www.idontplaydarts.com/?p=22#comment-163 Nice catch! Just a suggestion though: never access $_GET directly. Always use a getter function, to which developer MUST specify the expected format. This approach solves most of the web application security problems. For instance: "username" => get('username', GET_STRING, '/^[a-zA-Z0-9]+$/') (regex is optional) Or: "username" => get_string('username', '/^[a-zA-Z0-9]+$/') Function get() should be the only way to access $_GET. You should even rename $_GET to make sure developers obey this convention. My 0.02 EUR. Nice catch! Just a suggestion though: never access $_GET directly. Always use a getter function, to which developer MUST specify the expected format. This approach solves most of the web application security problems.

For instance:
“username” => get(‘username’, GET_STRING, ‘/^[a-zA-Z0-9]+$/’)
(regex is optional)

Or:
“username” => get_string(‘username’, ‘/^[a-zA-Z0-9]+$/’)

Function get() should be the only way to access $_GET. You should even rename $_GET to make sure developers obey this convention.

My 0.02 EUR.

]]> By: phil http://www.idontplaydarts.com/2010/07/mongodb-is-vulnerable-to-sql-injection-in-php-at-least/#comment-5 phil Mon, 21 Feb 2011 07:17:44 +0000 http://www.idontplaydarts.com/?p=22#comment-5 Your code would work but this would also work and means you don't have to declare $username. <blockquote> "username" => "{$_GET['username']}" </blockquote> Either way as long as the input to mongodb remains a string your safe :) Your code would work but this would also work and means you don’t have to declare $username.

“username” => “{$_GET['username']}”

Either way as long as the input to mongodb remains a string your safe :)

]]> By: Michael Grech http://www.idontplaydarts.com/2010/07/mongodb-is-vulnerable-to-sql-injection-in-php-at-least/#comment-4 Michael Grech Sun, 20 Feb 2011 07:48:22 +0000 http://www.idontplaydarts.com/?p=22#comment-4 Ah answered my own question. So you could do something like the following as well: <blockquote>$username = $_GET['username']</blockquote> than... <blockquote>“username” => “$username"</blockquote> Ah answered my own question. So you could do something like the following as well:

$username = $_GET['username']

than…

“username” => “$username”

]]> By: Michael Grech http://www.idontplaydarts.com/2010/07/mongodb-is-vulnerable-to-sql-injection-in-php-at-least/#comment-3 Michael Grech Sun, 20 Feb 2011 07:39:21 +0000 http://www.idontplaydarts.com/?p=22#comment-3 Hey Phil, thanks for the post. Would this work as well than? Note the double quotes. <blockquote>"username" => "$_GET['username'] "</blockquote> Hey Phil, thanks for the post. Would this work as well than? Note the double quotes.

“username” => “$_GET['username'] “

]]>