Many of you have been working on FCC’s back-end section. The projects involve implementing databses which accept user input. I myself have one such Node project up and running with a MongoDB that accepts user input.
Today I found suspicious entries in my database. The following string was input as username and password:
"admin") or (“1”=“1”–"
I read that this is a classic SQL Injection tactic to return the admin password and a list of all users passwords. MongoDB is not an SQL database. The command input into my database does not look like anything I have used with MongoDB.
My input was not being validated at all until today. I added the following attribute to my form inputs in order to prevent this kind of thing:
pattern="^[a-zA-Z0-9_]*$"
I’m limiting the input to alphanumerics and underscores. I’m not sure though if this is sufficient to prevent these kinds of attacks. My fix seems naive. Surely any protection I implement on the client-side could be sidestepped by a proficient hacker?
Have any other campers seen something like this in their projects? Does anyone more experienced have any suggestions? Especially as it relates specifically to MongoDB, because this is what we were taught to use. I wonder if application security should be added to the FCC curriculum?
I appreciate hearing from you guys.