aldin-sxr / mongo-sanitize
A simple, no-dependency defense against MongoDB query selector injection attacks.
Installs: 1 816
Dependents: 0
Suggesters: 0
Security: 0
Stars: 2
Watchers: 2
Forks: 0
Open Issues: 0
Requires (Dev)
- phpunit/phpunit: ^8.4
This package is auto-updated.
Last update: 2024-05-19 07:08:13 UTC
README
A simple, no-dependency PHP library for defense against MongoDB query selector injection attacks. Inspired by the homonymous NPM package for NodeJS.
Installation and Usage
The library is available via Composer.
composer require aldin-sxr/mongo-sanitize
After installing, include vendor/autoload.php in your project.
<?php require_once 'vendor/autoload.php'; $data = [ 'hello' => 'world', 'foo' => [ '$eq' => 'bar' ] ]; $cleaned = mongo_sanitize($data); // Cleaned array: // [ 'hello' => 'world, 'foo' => [ ] ]
Call mongo_sanitize() on the arrays (user input) which you want to sanitize. The function will remove any array elements whose keys start with a $ (MongoDB operator identifier). The function also works recursively, on embedded array elements.
Testing
All library methods come with several unit tests in PHPUnit, which are available under tests/unit.
License
The library is licensed under the MIT license. See the LICENSE file for details.