How dangerous is a mongo query which is fed directly from a URL query string?

Question

I am playing around with node.js, express, and mongoose.

For the sake of getting something up and running right now I am passing the Express query string object dire

Answer 1

Operator injection is a serious problem here and I would recommend you at least encode/escape certain characters, more specifically the $ symbol: http://docs.mongodb.org/manual/faq/developers/#dollar-sign-operator-escaping

If the user is allowed to append a $ symbol to the beginning of strings or elements within your $_GET or $_POST or whatever they will quickly use that to: http://xkcd.com/327/ and you will be a gonner, to say the least.