== How to fix it in MongoDB

=== Code examples

include::../../common/fix/code-rationale.adoc[]

==== Noncompliant code example

[source,javascript,diff-id=1,diff-type=noncompliant]
----
const { MongoClient } = require('mongodb');

function (req, res) {
    let query = { user: req.query.user, city: req.query.city };

    MongoClient.connect(url, (err, db) => {
        db.collection("users")
        .find(query) // Noncompliant
        .toArray((err, docs) => { });
    });
}
----

==== Compliant solution

[source,javascript,diff-id=1,diff-type=compliant]
----
const { MongoClient } = require('mongodb');

function (req, res) {
    let query = { user: req.query.user.toString(), city: req.query.city.toString() };

    MongoClient.connect(url, (err, db) => {
        db.collection("users")
        .find(query)
        .toArray((err, docs) => { });
    });
}
----

=== How does this work?

include::../../common/fix/plain-string-values.adoc[]

=== Pitfalls

include::../../common/pitfalls/code-execution.adoc[]