Simon Willison's Weblog: mongodb

SQL Injection Isn't Dead: Smuggling Queries at the Protocol Level

2024-08-12T15:36:47+00:00

SQL Injection Isn't Dead: Smuggling Queries at the Protocol Level

PDF slides from a presentation by Paul Gerste at DEF CON 32. It turns out some databases have vulnerabilities in their binary protocols that can be exploited by carefully crafted SQL queries.

Paul demonstrates an attack against PostgreSQL (which works in some but not all of the PostgreSQL client libraries) which uses a message size overflow, by embedding a string longer than 4GB (2**32 bytes) which overflows the maximum length of a string in the underlying protocol and writes data to the subsequent value. He then shows a similar attack against MongoDB.

The current way to protect against these attacks is to ensure a size limit on incoming requests. This can be more difficult than you may expect - Paul points out that alternative paths such as WebSockets might bypass limits that are in place for regular HTTP requests, plus some servers may apply limits before decompression, allowing an attacker to send a compressed payload that is larger than the configured limit.

Via lobste.rs

Tags: http, mongodb, postgresql, security, sql-injection, websockets

What are the advantages and disadvantages of using MongoDB vs CouchDB vs Cassandra vs Redis?

2010-12-01T12:54:00+00:00

My answer to What are the advantages and disadvantages of using MongoDB vs CouchDB vs Cassandra vs Redis? on Quora

I see Redis as a different category from the other three - kind of like you wouldn't say "what are the advantages of MySQL v.s. Memcached". Redis makes an excellent complement to pretty much any other persistent storage mechanism. I expanded on this here: http://simonwillison.net/2009/Oc...

Tags: cassandra, couchdb, mongodb, nosql, redis, quora

What is the best way to integrate MongoDB with Django?

2010-10-27T18:15:00+00:00

My answer to What is the best way to integrate MongoDB with Django? on Quora

Personally, I just "import pymongo" and start calling the regular Python API - no need for any special treatment to get it working with Django.

Tags: django, mongodb, quora

Geospatial Indexing in MongoDB

2010-03-02T20:12:09+00:00

Geospatial Indexing in MongoDB

New in version 1.3.3. Handles “order by distance from” queries using a geohash approach under the hood, automatically searching nearby grid squares until the correct number of results have been gathered. Bounding box search is planned for a future release.

Via MongoDB 1.3.3 Released

Tags: geohash, geospatial, mongodb

Notes from a production MongoDB deployment

2010-02-28T23:05:24+00:00

Notes from a production MongoDB deployment

Notes from running MongoDB for 8 months in production, with 664 million documents spread across 72 GB master and slave servers located in two different data centers.

Tags: mongodb, scaling, sysadmin

"MongoDB is fantastic for logging"

2009-08-26T19:09:26+00:00

"MongoDB is fantastic for logging"

Sounds tempting... high performance inserts, JSON structured records and capped collections if you only want to keep the past X entries. If you care about older historic data but still want to preserve space you could run periodic jobs to roll up log entries in to summarised records. It shouldn’t be too hard to write a command-line script that hooks in to Apache’s logging directive and writes records to MongoDB.

Tags: apache, json, logging, mongodb

Why we migrated from MySQL to MongoDB

2009-07-27T10:49:49+00:00

Why we migrated from MySQL to MongoDB

Includes some useful information on MongoDB’s limitations—for example, running many different collections can waste disk space and repairing large datasets or bulk deleting many rows can block and lock the database for the duration of the operation.

Tags: databases, documentstores, mongodb, mysql

TurboGears on Sourceforge

2009-07-17T02:30:48+00:00

TurboGears on Sourceforge

Sourceforge recently relaunched, powered by TurboGears 2 and MongoDB. Mark Ramm has the details.

Tags: mark-ramm, mongodb, sourceforge, turbogears, turbogears2

Using Mongo for Real-Time Analytics

2009-06-30T19:28:43+00:00

Using Mongo for Real-Time Analytics

MongoDB supports an “upsert” query, which when combined with the $inc operator can cause counter fields to be incremented if they exist and created otherwise. This makes it a great fit for real-time analytics applications (one increment per page view), something that regular relational databases aren’t particularly good at.

Tags: counters, databases, increment, mongodb, upsert

MongoDB

2009-06-30T19:13:04+00:00

MongoDB

Lots of discussions about this at EuroPython today—it’s a document database, very similar to CouchDB but significantly faster and suggested for production use. Best of all, trying it out on OS X is as easy as extracting the tarball and running “bin/mongod --dbpath /tmp/test-mongo-db run”.

Tags: couchdb, documentstore, europython, json, keyvaluestore, macos, mongodb, nonrelationaldatabase

MongoDB - Capped Collections

2009-06-07T12:50:27+00:00

MongoDB - Capped Collections

Collections with a size limit that automatically expire older entries are interesting—useful for things like a “recent searches on this site” feature.

Tags: cappedcollections, mongodb, search