When asked why MongoDB is using their own query language instead of SQL, the answer was that using JSON for both data and queries made more sense. Plus, it helped avoid injection attacks. As showed by Patrick McKenzie’s post on recently released Diaspora, turns out this is not quite true:
Diaspora uses MongoDB, one of the new sexy NoSQL database options. I use a few myself. They have a few decades less experience getting exploited than the old relational databases you know and love, so let’s start: I claim this above code snippet gives me full read access to the database, including to serialized encryption keys.
The conclusion is quite obvious: as long as developers continue to use string concatenation and interpolation, the query language doesn’t really matter. So you might be better off with something that people feel familiar with.
Original title and link: MongoDB and Security via Diaspora (NoSQL databases © myNoSQL)