Fix NoSQL Injection in Lumen

NoSQL Injection in Lumen (typically via jenssegers/mongodb) is a critical flaw where unsanitized user input is passed directly into query filters. Attackers can inject MongoDB operators like '$ne', '$gt', or '$where' to bypass authentication, leak data, or cause DoS. If you're passing $request->all() or raw input into a query, you're likely pwned.

The Vulnerable Pattern

public function login(Request $request) {
    // VULNERABLE: Input is not cast to string.
    // Attacker sends: {"password": {"$ne": ""}}
    $user = User::where('username', $request->input('username'))
                ->where('password', $request->input('password'))
                ->first();
    return $user ? "Logged in" : "Failed";
}

The Secure Implementation

The vulnerability exists because MongoDB query filters accept arrays. When Lumen receives a JSON request, $request->input() can return an associative array. By passing this array directly into Eloquent's where clause, the attacker controls the query logic. The fix is twofold: 1) Use Lumen's Validator to enforce 'string' types, and 2) Explicitly cast inputs to (string) to flatten any nested objects/arrays before they reach the database driver.

public function login(Request $request) {
    // SECURE: Strict validation and type casting
    $this->validate($request, [
        'username' => 'required|string',
        'password' => 'required|string'
    ]);
$username = (string) $request->input('username');
$password = (string) $request->input('password');

$user = User::where('username', $username)
            ->where('password', $password)
            ->first();
return $user ? "Logged in" : "Failed";
}