0

I am looking at using MongoDB with CodeIgniter, however my concern is how data is inserted into the database, most examples take the post values directly into a collection which is a dream because it removes an extract step... however a user could easily inject/overwrite values going into the database, compared to SQL where you would map one-one fields in the database, there appears to be no examples of how one would avoid this type of data injection...

Potentially I see two problems, namely additional values being injected and fields containing incorrect datatypes, ie: a name containing an array or object.

Is the solution to build model classes to map my POST data to along with datatypes or is there an easier method?

EXAMPLE: MongoDB and CodeIgniter

Community
  • 1
  • 1
on_
  • 556
  • 5
  • 12

2 Answers2

1

Looking around I guess the only solution would be to map it into a local array or model class. An example from: http://www.php.net/manual/en/mongo.tutorial.php would be more like:

$post = $this->input->post();
$document = array( "title" => (string)$post['title'], "online" => (bool)$post['online']);
$collection->insert($document);

What does everyone think?

on_
  • 556
  • 5
  • 12
  • Casting values to the expected type is a fine approach. When using something like [Doctrine ODM](http://docs.doctrine-project.org/projects/doctrine-mongodb-odm/en/latest/), you would have model classes and properties would be mapped to types for MongoDB, but it's still a best practice to do casting in your setter methods. The added benefit of using an ODM would be handling related documents (embedded or referenced), but if you're documents are mostly flat, the above example is easy and forgoes the overhead of an ODM. – jmikola Feb 12 '14 at 20:49
0

CodeIgniter has full active record abilities to help you deal with validation and sanitation of data: http://ellislab.com/codeigniter/user-guide/database/active_record.html

However you can also use something like Doctrine 2: http://docs.doctrine-project.org/en/2.0.x/cookbook/integrating-with-codeigniter.html to sovle this which has a fully fitted MongoDB verfsion of itelf.

Sammaye
  • 43,242
  • 7
  • 104
  • 146
  • yeah but neither libraries would know what data structure to expect. – on_ Jan 31 '14 at 13:59
  • @on_ it appears in CodeIgniter they only have form validation: http://ellislab.com/codeigniter%20/user-guide/libraries/form_validation.html but it is the same thing, you would make a model per form and validate it there – Sammaye Jan 31 '14 at 14:04
  • I know about form_validation - that would be used regardless... what it does not do however is accommodate for datatypes and additional fields injected via post. – on_ Jan 31 '14 at 14:11
  • @on_ doesn't CI constrict data type and fields based on form validation? – Sammaye Jan 31 '14 at 14:12
  • there is only decimal and numeric checks, seeing as the SQL databases would toss out bad datatypes, now with NoSQL some data would be an array or object and we would want to make sure it is that data type... as you can see we are struggling to move over to this document type thinking – on_ Jan 31 '14 at 14:20
  • @on_ Indeed normally I would be of more (some) help but I actually use Yii most of the time, I just assumed CI was relatively similar – Sammaye Jan 31 '14 at 14:28