Securing database operations
It is needless to say how important it is to verify every piece of data before inserting or updating it in the database. From the beginning, it has been said, don't believe the inputs from the users. We have heard about SQL injection, XSS injections, and many more such kinds of attacks that succeed due to not verifying the data against the necessary validation logic.
Whenever there is access to a database-related operation without any abstraction layer, the developers must be very cautious about the data. It is better to write the database operation code, as if it is defensive to malicious inputs. In the case of SQL, rather than writing raw queries and executing them, it is good to use prepared statements, which will save us, at least from the basic SQL injections. MongoDB doesn't have prepared statements. We always tend to frame a query and pass it to the operation methods (find, update, and remove).
Attackers can try to attack for various purposes. One would...
