If I can guarantee input ($value
in below example) is string (ie. attacker can't inject using PHP magic array), is following code sufficient for preventing injection?
$regex = str_replace('%', '', $value);
if (substr($value, 0, 1) != '%') $regex = '^' . $regex;
if (substr($value, -1) != '%') $regex = $regex . '$';
$value = new MongoRegex("/$regex/i");
Generally speaking, is MongoRegex("/$user-input/i")
ok in terms of MongoDB security? Or should we take more precaution as in SQL world?
Array
– Sammaye