Security concerns while using MongoDB PHP driver -

-


Security concerns while using MongoDB PHP driver -

i have experiences securing sql injections on mysql, should careful on mongodb using php driver? in of pages info via get/post , searching/inserting system. search via udid / other fields, , can insert string value. user's cookies via javascript.

so when get/post, i'm adding each variable htmlentities function?

what replace mysql_real_escape_string? should utilize it?

so, example, when doing

$download = array( 'url' => $_get['url'] ); $downloads->insert($download);

is ok?

is there way check if string uid?

any think else should aware when using mongodb , php? cookies using javascript, , searching in db using cookies. that?

so when get/post, i'm adding each variable htmlentities function?

no need to. should however, utilize htmlentities when outputting user-generated info browser, prevent xss attacks.

what replace mysql_real_escape_string? should utilize it?

you shouldn't utilize mysql_real_escape_string it's mysql. nil replaces on mongodb, driver takes care of escaping info you.

is there way check if string uid?

the way validate query mongodb string , check if exists.

you can however, validate if format correct:

$id = '4f1b166d4931b15415000000'; $a = new mongoid($id); var_dump($a->{'$id'} == $id); // true $id = 'foo'; $a = new mongoid($id); var_dump($a->{'$id'} == $id); // false

any think else should aware when using mongodb , php? cookies using javascript, , searching in db using cookies. that?

not much. web application, discouraged storing sensitive info in cookies, such user identifiers, passwords, etc. can tempered , used access parts of application should restricted, or impersonate other users.

php security mongodb

Comments

Post a Comment

Popular posts from this blog

delphi - blogger via idHTTP : error 400 bad request -

-
delphi - blogger via idHTTP : error 400 bad request - i'm trying post blogger using idhttp component, however, i'm getting "http/1.0 400 bad request" error. procedure tform1.button1click(sender: tobject); var request,response,req : tstringlist; auth,blogid : string; begin blogid := '00000000000000000000000'; request := tstringlist.create; response := tstringlist.create; req := tstringlist.create; idhttp1.request.connection := 'keep-alive'; idhttp1.request.contenttype := 'application/x-www-form-urlencoded'; idssliohandlersocket1.ssloptions.method := sslvsslv23; request.clear(); request.values['accounttype'] := 'google'; request.values['email'] := 'xxx@gmail.com'; request.values['passwd'] := 'yyy'; request.values['service'] := 'blogger'; response.text :=idhttp1.post('https://www.google.com/accounts/clientlogin',request); auth := resp...
Read more

c++ - compiler errors when initializing EXPECT_CALL with function which has program_options::variables_map as parameter -

-
c++ - compiler errors when initializing EXPECT_CALL with function which has program_options::variables_map as parameter - i'm having problem expect_call method, when trying : boost::program_options::variables_map vm; mymock mock; expect_call(mock, mymethod(vm)).willonce(return(l"")); mymethod looks : std::wstring mymethod(const boost::program_options::variables_map &vm) when compiling got errors : error 17 error c2676: binary '==' : 'const boost::program_options::variable_value' not define operator or conversion type acceptable predefined operator c:\program files (x86)\microsoft visual studio 9.0\vc\include\utility error 10 error c2784: 'bool std::operator ==(const _elem *,const std::basic_string<_elem,_traits,_alloc> &)' : not deduce template argument 'const _elem *' 'const boost::program_options::variable_value' c:\program files (x86)\microsoft visual studio 9.0\vc\include\u...
Read more

How do I check if an insert was successful with MySQLdb in Python? -

-
How do I check if an insert was successful with MySQLdb in Python? - i have code: cursor = conn.cursor() cursor.execute(("insert new_files (videos_id, filename, " "is_processing) values (%s,%s,1)"), (id, filename)) logging.warn("%d", cursor.rowcount) if (cursor.rowcount == 1): logging.info("inserted values %d, %s", id, filename) else: logging.warn("failed insert values %d, %s", id, filename) cursor.close() fun is, cursor.rowcount always one, though updated database create videos_id unique key. is, insert fails because in tests same videos_id going appear (and when check database, nil inserted). whatever reason, rowcount 1 - logging.warn have spits out rowcount of 1. so, question: can utilize rowcount work out if insert went fine? if so, (presumably) doing wrong? otherwise, how check if insert went fine? your code not commit after modifications (your modifications rolled back). should...
Read more