I'm aware how useful this can be but, how can a developer prevent injection attacks right at the monquery level? Since, the real mongodb query is generated by passing a string to the compile function, it is trivial to do injection right at this string level.
Consider a very simple authentication example,
var compile = require('monquery');
var pass = request.query.password;
var str = 'user:TJ AND password:' + pass;
var query = compile(str);
Imagine if the input password is something like, 1 OR user:admin
Dealing with this requires another special set of heuristics and checks specific to the monquery syntax.
How can a developer safely pass input to these strings?
I'm aware how useful this can be but, how can a developer prevent injection attacks right at the monquery level? Since, the real mongodb query is generated by passing a string to the compile function, it is trivial to do injection right at this string level.
Consider a very simple authentication example,
Imagine if the input password is something like,
1 OR user:adminDealing with this requires another special set of heuristics and checks specific to the monquery syntax.
How can a developer safely pass input to these strings?