Is there a way to bind parameters during a Doctrine ODM MongoDB query?
$path = $this->objectManager->getRepository("MyBundle:MyDocument")
->findOneBy(array("slug" => new MongoRegex("/^slug/")))
;
This would be instead of having to do string concatenation where slug appears above.
The short take is that you generally do not have to worry about the same category of string injection problems as an SQL injection, because the requests sent to a MongoDB server are in an object format (BSON) rather than a string format like SQL.
A typical SQL injection attack involves manipulating variables that will be concatenated into an SQL query string. The SQL bind parameters are placeholders for the variables that limit the acceptable values via escaping and/or type checking. In the BSON format, the aspects of the query are saved in an object format that limits the scope of the values to that field.
If you are passing values for server-side JavaScript execution such as in a $where
query, you do have to apply some caution in filtering user-provided input. Server-side JavaScript is generally discouraged as it can have some detrimental performance affects.
For more information see the MongoDB wiki page Do I have to worry about SQL Injection. Of course there actually is no SQL support in MongoDB, so this page would more aptly be named "Should I worry about Parameter Injection Attacks" ;-).