0

Is there a way to bind parameters during a Doctrine ODM MongoDB query?

$path = $this->objectManager->getRepository("MyBundle:MyDocument")
    ->findOneBy(array("slug" => new MongoRegex("/^slug/")))
;

This would be instead of having to do string concatenation where slug appears above.

BenMorel
  • 34,448
  • 50
  • 182
  • 322
Alexander Trauzzi
  • 7,277
  • 13
  • 68
  • 112
  • 1
    I have never programmed Doctrine but is that not working? Try removing the / from /^slug/ to be ^slug – Sammaye Aug 26 '12 at 15:16
  • That's not really the problem I'm having. – Alexander Trauzzi Aug 26 '12 at 15:53
  • 1
    Oh your looking for PDO type binding...sorry misread. Though it sounds kinda useless cos the main problem with SQL is injection hence for the need fror paramterised queries, mongodb does not really suffer from that problem as you see. – Sammaye Aug 26 '12 at 16:00
  • Are you sure about that? – Alexander Trauzzi Aug 26 '12 at 16:19
  • 1
    Yea since the parameter input is not built from a string but from arrays as you can see as such it prevents injection since querying in Mongo is object orientated. This is something 10gen combatted early on and continues to. So the content of the `MongoRegex` could not cause the query to dump the table for example, for enough if you don't check the input is within acceptable ranges you might get unexcepted behaviour but that is app logic unique to your programming, as such it should be there. – Sammaye Aug 26 '12 at 18:39

1 Answers1

2

The short take is that you generally do not have to worry about the same category of string injection problems as an SQL injection, because the requests sent to a MongoDB server are in an object format (BSON) rather than a string format like SQL.

A typical SQL injection attack involves manipulating variables that will be concatenated into an SQL query string. The SQL bind parameters are placeholders for the variables that limit the acceptable values via escaping and/or type checking. In the BSON format, the aspects of the query are saved in an object format that limits the scope of the values to that field.

If you are passing values for server-side JavaScript execution such as in a $where query, you do have to apply some caution in filtering user-provided input. Server-side JavaScript is generally discouraged as it can have some detrimental performance affects.

For more information see the MongoDB wiki page Do I have to worry about SQL Injection. Of course there actually is no SQL support in MongoDB, so this page would more aptly be named "Should I worry about Parameter Injection Attacks" ;-).

Stennie
  • 63,885
  • 14
  • 149
  • 175