I have experiences with securing sql injections on MYSQL, but what should I be careful on MongoDB using php driver? In most of the pages I get data via GET/POST and searching/inserting the system. I search via UDID / other fields, and can insert any string value. Also I get user’s cookies via javascript.
-
So when GET/POST, I’m adding to each variable htmlentities function?
-
What would replace mysql_real_escape_string? Should I use it?
So, for example, when doing
$download = array( 'url' => $_GET['url'] );
$downloads->insert($download);
Is this OK?
-
Is there a way to check if a string is really a UID?
-
Any think else I should be aware when using MongoDB and PHP? I do get my cookies using javascript, and searching in my DB using the cookies. What about that?
No need to. You should however, use
htmlentitieswhen outputting user-generated data to a browser, to prevent XSS attacks.You shouldn’t use
mysql_real_escape_stringas it’s for MySQL. Nothing replaces this on MongoDB, the driver takes care of escaping the data for you.The only way is to validate it is to query MongoDB with that string and check if it exists.
You can however, validate if the format is correct:
Not much. As for any web application, you are very discouraged from storing sensitive data in cookies, such as user identifiers, passwords, etc. as they can easily be tempered with and used to access parts of your application that should be restricted, or impersonate other users.