Fix NoSQL Injection in Slim

NoSQL Injection in Slim/PHP environments typically arises when raw user-controlled arrays are passed directly into MongoDB query filters. Attackers leverage operators like '$gt', '$ne', or '$where' to bypass authentication or exfiltrate data. If you are piping 'request->getParsedBody()' straight into a 'find()' call without sanitization, your application is trivially exploitable.

The Vulnerable Pattern

$app->post('/api/user/lookup', function ($request, $response) {
    $params = $request->getParsedBody();
    // VULNERABLE: If attacker sends {"id": {"$ne": null}}, they dump the first user in the DB
    $user = $this->db->users->findOne([
        '_id' => $params['id']
    ]);
    return $response->withJson($user);
});

The Secure Implementation

The vulnerability exists because PHP's MongoDB driver allows query filters to be nested arrays. When an attacker provides a JSON object instead of a scalar string, the driver interprets the keys as operators. By casting the input to a string, you force the driver to treat the input as a literal value rather than a command. For IDs, always wrap inputs in the 'ObjectId' constructor, which provides built-in validation and prevents operator injection entirely.

$app->post('/api/user/lookup', function ($request, $response) {
    $params = $request->getParsedBody();
// SECURE: Cast to string to ensure NoSQL operators are treated as literal values
$safeId = (string)($params['id'] ?? '');

// ALTERNATIVE: Use MongoDB\BSON\ObjectId for ID lookups to enforce format
try {
    $user = $this->db->users->findOne([
        '_id' => new MongoDB\BSON\ObjectId($safeId)
    ]);
} catch (Exception $e) {
    return $response->withStatus(400);
}

return $response->withJson($user);
});