Using firebase for the first time after a strong background of SQL. I'm used to using functions like addslashes() to sanitize user input into queries.
Is there any standard way of doing the similar thing with Firebase lookups?
For example:
// expected a key, not a path
var userProvidedKey = "3/malicious"
// will not be a ref to what I expect
var ref = firebase.database().ref(`something/${userProvidedKey}`)
I don't know how malicious it can be for a user to be able to search further down in a ref, but maybe this problem is solved? Or do I need to .split('/').shift() any inputs that I receive?
Note: Using the JS SDK for my examples.
Input/output should always be sanitized and validated before entering the database.
Firebase provides security and data validation checks to be used in your application. Firebase also provides rules in its database to determine which users have write/read access to which data in the database.
For more information read the documentation about the Firebase realtime database.
Found this thread Adding Firebase data, dots and forward slashes that may answer some practical questions on Firebase specific sanitation.