ALL COVERED TOPICS

NoSQL Benchmarks NoSQL use cases NoSQL Videos NoSQL Hybrid Solutions NoSQL Presentations Big Data Hadoop MapReduce Pig Hive Flume Oozie Sqoop HDFS ZooKeeper Cascading Cascalog BigTable Cassandra HBase Hypertable Couchbase CouchDB MongoDB OrientDB RavenDB Jackrabbit Terrastore Amazon DynamoDB Redis Riak Project Voldemort Tokyo Cabinet Kyoto Cabinet memcached Amazon SimpleDB Datomic MemcacheDB M/DB GT.M Amazon Dynamo Dynomite Mnesia Yahoo! PNUTS/Sherpa Neo4j InfoGrid Sones GraphDB InfiniteGraph AllegroGraph MarkLogic Clustrix CouchDB Case Studies MongoDB Case Studies NoSQL at Adobe NoSQL at Facebook NoSQL at Twitter

NAVIGATE MAIN CATEGORIES

Close

MongoDB and Security via Diaspora

When asked why MongoDB is using their own query language instead of SQL, the answer was that using JSON for both data and queries made more sense. Plus, it helped avoid injection attacks. As showed by Patrick McKenzie’s post on recently released Diaspora, turns out this is not quite true:

Diaspora uses MongoDB, one of the new sexy NoSQL database options. I use a few myself. They have a few decades less experience getting exploited than the old relational databases you know and love, so let’s start: I claim this above code snippet gives me full read access to the database, including to serialized encryption keys.

The conclusion is quite obvious: as long as developers continue to use string concatenation and interpolation, the query language doesn’t really matter. So you might be better off with something that people feel familiar with.

Original title and link: MongoDB and Security via Diaspora (NoSQL databases © myNoSQL)

via: http://www.kalzumeus.com/2010/09/22/security-lessons-learned-from-the-diaspora-launch/