How does MongoDB avoid the SQL injection mess?

Question

I was reading my trusty O\'Reilly book and came across a passage about how Mongo, by nature, avoids the morass of SQL injection-like flaws.

In my gut, I think I unde

Answer 1

To protect against SQL injection, clients can use MongoDB's language APIs. This way, all the input is simple value - commands cannot be injected. A Java example:

collection.find(Filters.eq("key", "input value"))

The drawback is that you cannot easily test your filter. You cannot copy it to Mongo's shell and test it. Especially problematic with bigger, more complex filters/queries.

BUT!!! there's also an API to not use the filter's API - enabling to parse any json filter. Java example below:

collection.find(BasicDBObject.parse("{key: "input value"}"));

This is nice because you can copy the filter directly to the MongoDB shell to test it out.

BUT!!! (last but, I promise) this is prone to NoSql injection. Java example, where the input value is {$gt: ""}.

collection.find(BasicDBObject.parse("{key: {$gt: ""}}"));

In this last example, everything is returned, even though we meant only for the specific records to return.

See here a more thorough explanation on SQL injection when using the filters directly.

One last thing. I think there's a way to use both raw filters and still protect against SQL injection. For example, in Java, we can use Jongo's parameterized queries.