Fix NoSQL Injection in CodeIgniter

NoSQL Injection in CodeIgniter environments—typically leveraging MongoDB—occurs when untrusted input is merged directly into query filters. Unlike SQLi which relies on syntax manipulation, NoSQLi exploits PHP's associative array handling to inject operators like $gt, $ne, or $regex. If you're piping $_POST directly into a find() call, your auth logic is likely bypassable.

The Vulnerable Pattern

// Controller logic receiving raw input
$username = $this->request->getPost('username');
$password = $this->request->getPost('password');
// VULNERABLE: Input is passed without type enforcement.
// Attack: curl -d ‘username=admin&password[$ne]=1’ http://target/login
$user = $this->mongoClient->db->users->findOne([
‘user’ => $username,
‘pass’ => $password
]);

The Secure Implementation

The vulnerability stems from PHP's loose typing and MongoDB's query structure. When an attacker sends 'password[$ne]=1', CodeIgniter's input helper interprets this as an array: ['password' => ['$ne' => '1']]. The MongoDB driver sees the '$ne' key and executes a 'Not Equal' query, allowing an attacker to log in without knowing the password. By casting the input to (string), you force the driver to treat the payload as a literal string value, effectively neutralizing the operator. Always use CI4's Validation library to enforce 'string' types at the controller boundary.

// SECURE: Explicitly cast to string to neutralize operator arrays
$username = (string) $this->request->getPost('username');
$password = (string) $this->request->getPost('password');
$user = $this->mongoClient->db->users->findOne([
‘user’ => $username,
‘pass’ => $password
]);
// ALTERNATIVE: Use CI4 Validation service for strict typing
$rules = [
‘username’ => ‘required|alpha_numeric_space|min_length[3]’,
‘password’ => ‘required|string’
];
if (!$this->validate($rules)) {
return $this->fail($this->validator->getErrors());
}