我有一个包含类别的集合,每个文档看起来像这样:
一个文档的小片段:
{
"category" : "Programming",
"keywords" : [
"SQL",
"PHP",
"C++"
]
}
当我运行以下命令时($ search来自stackoverflow上的问题):
db.categories.find({
$text : {
$search: 'If user input is inserted without modification into an SQL query, then the application becomes vulnerable to SQL injection, like in the following example: $unsafe_variable = $_POST[\'user_input\']; mysql_query("INSERT INTO `table` (`column`) VALUES (\'$unsafe_variable\')"); That\'s because the user can input something like value\'); DROP TABLE table;--, and the query becomes: INSERT INTO `table` (`column`) VALUES(\'value\'); DROP TABLE table;--\') What can be done to prevent this from happening?'
}
}, {category: 1})
我没有得到任何结果,但是当我将字符串截断为这样时:
db.categories.find({
$text : {
$search: 'If user input is inserted without modification into an SQL query'
}
}, {category: 1})
我确实得到了结果。为什么较长的字符串不给我结果,而第二个较短的字符串给我结果?
答案 0 :(得分:0)
好吧,我弄清楚出了什么问题,我正在做“精确搜索”和“排除搜索”,因为我在项目和-标志周围都有引号。删除它可以让我搜索我想要的东西并找回我想要的东西。
db.categories.find({
$text : {
$search: 'If user input is inserted without modification into an SQL query then the application becomes vulnerable to SQL injection like in the following example unsafevariable POST user input mysql query INSERT INTO table column VALUES unsafevariable Thats because the user can input something like value DROP TABLE table and the query becomes INSERT INTO table column VALUES value DROP TABLE table What can be done to prevent this from happening'
}
}, {category: 1})