re: Beware of the findOne function VIEW POST

TOP OF THREAD FULL DISCUSSION
re: Good write up. Some additional resources for those interested in reading more: owasp.org/index.php/Testing_for_No... blog.websecurify.com/2014/08...
 

Good advice from the MongoDB team in their documentation, using the same approach as that to defeat injection in SQL, and more generally across other injection attacks - avoid server-side interpreters:

docs.mongodb.com/manual/faq/fundam...

..for MongoDB either through direct use of BSON queries and separate user-data (equivalent of prepared queries in SQL clients), or by disabling server-side Javascript entirely - consider this first IMO!

code of conduct - report abuse