Let’s nip this problem in the butt!
SQL injections are the number one security vulnerability according to OWASP. Playing with MongoDB lately, I’m getting scared. Because I’m seeing some really bad practices out there. Seeing it in live code. In tutorials. And we need to make people aware of it. And put a stop to it NOW.
It’s bad enough that the average developer is completely oblivious to SQL Injection. But now with schema-less databases like MongoDB out there, expect to see something new. Schema injection.
Take a look at this Lithium Blog Tutorial. Is building a blog this way safe? Is traditional SQL Injection possible?
Probably not. I’m sure Lithium is binding parameters in that example. Therefore typical injection is not possible. However, we’re not done! How about Schema Validation???
Do you really want to let hackers easily inject columns into your database? They can add 1000 columns with any data they want!
It’s true that MongoDB makes some things easier on developers. But there’s some steps you shouldn’t skip just because it’s easy.
In the case of Lithium, you can secure your data by putting your field list in the model under $_schema and locking it in the $_meta attribute.
Mongo and Lithium are a great combination. But it’s on YOU the developer to use those tools properly.
Feel free to add columns to your production NoSQL database. That’s the good part of “no schema”. But you still need to add those columns to your code and make sure not to do inserts on unchecked columns.
Spread the word.