Resolved: findOneBy() - Sanitize email input - mongodb-odm 2.x

Question:

Is this safe (from an SQL injection perspective) to do:

$email = $_POST['email'];

$user = $dm->getRepository(self::$repository)->findOneBy(array('email' => $email));

Best
edit;-
So, the string 'user@gmail.com' comes into my method via a variable $email.

Answer:

You are safe from SQL injection because the MongoDB drivers do not speak SQL.
But beyond this, unless you use db.runCommand, there is no way to change a “find” statement (find,find_one, etc.) into an “update” or “delete” statement. No amount of variable substitution or trickery will change the basic behavior from read to anything else. In contrast, the classic cursor.execute("A SQL string") can do almost anything including adding/removing users and tables, etc. etc. and must be very carefully sanitized.

If you have better answer, please add a comment about this, thank you!

Resolved: findOneBy() – Sanitize email input – mongodb-odm 2.x

Resolved: Shopware 400 Status Error “This value is too long. It should have 255 character or less.” When I Try Updating Database Table

Resolved: Using AWK to count multiple patterns in a file

Resolved: significance letter above bar graphic in wrong order

Leave A Reply