SQL Injection - Finding suspicious entries in my MongoDB database

Many of you have been working on FCC’s back-end section. The projects involve implementing databses which accept user input. I myself have one such Node project up and running with a MongoDB that accepts user input.

Today I found suspicious entries in my database. The following string was input as username and password:

“admin”) or (“1”=“1”–"

I read that this is a classic SQL Injection tactic to return the admin password and a list of all users passwords. MongoDB is not an SQL database. The command input into my database does not look like anything I have used with MongoDB.

My input was not being validated at all until today. I added the following attribute to my form inputs in order to prevent this kind of thing:


I’m limiting the input to alphanumerics and underscores. I’m not sure though if this is sufficient to prevent these kinds of attacks. My fix seems naive. Surely any protection I implement on the client-side could be sidestepped by a proficient hacker?

Have any other campers seen something like this in their projects? Does anyone more experienced have any suggestions? Especially as it relates specifically to MongoDB, because this is what we were taught to use. I wonder if application security should be added to the FCC curriculum?

I appreciate hearing from you guys.

Not an expert in anyway, but this should have no consequences. Somebody tried SQL injection, but you don’t use SQL.

That said (probably incorrect), you should always validate user input.

To your point, validation should happen on the backend.

It sucks that someone is trying to find holes in your security. The good news is they are using methods that are about 10 years outdated, so they may just have googled ‘How can I haz haxxor ski11z?’ and tried the first thing that popped up.

It would be worth reading up on security issues and fixes for your stack, though.

Express and Node have pages outlining best practices for security. And there are plenty of articles around, too.


Oh, and validation is good, but you also want to look at ‘sanitizing’ any inputs, which is related, but a bit different.