Regarding security aspect in MongoDB

I had few questions regarding security aspect in MongoDB.

1) Is it not at possible for query injection attacks in MongoDB when using with Java driver ?? 

    How it is possible when using Javascript??

2) Are there any other Security threats in MongoDB ??

Please help me out. Please give me some useful links.

I am guessing at this, as my knowledge is limited too, but for 1) the difference is Java is a strictly typed language and Javascript is a loosely typed language. In other words, if you define a string variable for user input in Java and you try to assign an object to that variable, you'd get an error. With JS, you could be looking to assign a string to the variable and get an object and JS would happily continue to process that input. It is why the golden rule is "Always sanitize user input!".

The link below has an explanation of what I mean, sort of, using PHP as an example, as PHP is a loosely typed scripting language similar to JS.

http://stackoverflow.com/questions/5021456/how-does-mongodb-avoid-the-sql-injection-mess

The person who answers also explains why it is harder to inject querying language into Mongo than with SQL databases.

For 2) back to the golden rule, if you properly sanitize user input, you shouldn't have any issues with MongoDB (or with any other database for that matter).

That SO question is so wrong is actually funny to see how upvoted it is.

MongoDB can suffer from operator injection. I cannot find that in the security docs for some reason: http://docs.mongodb.org/manual/core/security/ however, the problem is very real.

If you have a user who has the ability to inject operators via client passed variables (using $) then you could have a misbehaving query.

It is advised to escape values that start with a $.

The second question is an broad one and depends on your setup.

I'd say the SO question is quite good. The O'reilly book saying Mongo avoids SQL injection is what is wrong. Or rather, it is right, if you are only talking about RDBMS SQL injection. Of course that could never work. LOL!

> That SO question is so wrong is actually funny to see how upvoted it is.
>
> MongoDB can suffer from operator injection. I cannot find that in the
> security docs for some reason: http://docs.mongodb.org/manual/core/security/
> however, the problem is very real.
The drivers sometimes have it documented. For the PHP one, it's at
http://docs.php.net/manual/en/mongo.security.php

For SO to say that it avoids injection because of lack of parsing is a incorrect view, it is now and was in 2011.

As good PHP doc documents it

For example, 

Case #1: if suppose all the user entered data is accepting as a Stringdata type.

                        BasicDBObject query = new BasicDBObject( "EMAILID" , "userEnteredValue" );

                        DBCursor cursor = collection.find(query);

How about in this case? Is query injection still possible ?

Case #2: Suppose if we are using $where in our BasicDBObject, there is a chance of query injection (since we can write JavaScript functions).

                        String userEnteredValue = "function() { return this._id; } ";           

                        BasicDBObject query = new BasicDBObject( "$where" , userEnteredValue );

                        DBCursor cursor = collection.find(query);

In this case query injection is possible.

Is my understanding correct??

Please correct me understanding this concept....