MongoEngine:是否以及如何清理搜索和数据输入?
[英]MongoEngine: if and how to sanitize search & data input?
问题描述
I'm using MongoEngine in a project, and I was wondering if and how I need to sanitize user input when creating documents and searching them.
我在一个项目中使用MongoEngine ,我想知道在创建文档和搜索文档时是否以及如何清理用户输入。
For example, when I'm creating a document by providing data from resources like scraped RSS feeds (with feedparser), they can have almost any type of string as data:例如,当我通过提供来自诸如抓取的 RSS 提要(使用 feedparser)之类的资源的数据来创建文档时,它们几乎可以将任何类型的字符串作为数据:
RSS(
rss_link=news.link,
link=news.feed.link,
title=news.feed.title,
subtitle=news.feed.subtitle,
summary=news.feed.summary,
).save()
Or, when I'm exposing said collection for user queries to find relevant RSS resources:或者,当我为用户查询公开所述集合以查找相关 RSS 资源时:
objects = RSS.objects.search_text(user_input).order_by('$text_score')
Does any type of input sanitization need to be done?是否需要进行任何类型的输入清理? Is it different for both cases?这两种情况有什么不同吗? The documentation doesn't seem to be discussing this.文档似乎没有讨论这个。
1 个解决方案
解决方案1
1 已采纳 2020-01-08 10:08:25
When saving a document, MongoEngine will run the field validation.保存文档时,MongoEngine 将运行字段验证。 If you use a user_input in a query, you need to sanitize it, in this case I believe ensuring that user_input is a string should be sufficient (if you are concerned about injection).如果您在查询中使用 user_input,则需要对其进行清理,在这种情况下,我相信确保user_input是一个字符串就足够了(如果您担心注入)。 As discussed here , injection can be achieved by using dictionaries so its important to sanitize正如这里所讨论的,注入可以通过使用字典来实现,因此清理是很重要的。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.