include::../description.adoc[]

== Noncompliant Code Example

In a MongoDB context, https://docs.mongodb.com/manual/faq/fundamentals/#how-does-mongodb-address-sql-or-query-injection[arbitrary Javascript code] can be executed with the ``$where`` operator for instance:

----
let username = req.query.username;
query = { $where: `this.username == '${username}'` }
User.find(query, function (err, users) {
  if (err) {
    // Handle errors
  } else {
    res.render('userlookup', { title: 'User Lookup', users: users });
  }
});
----

== Compliant Solution

In a MongoDB context, don't use ``$where`` operator or validate the data:

----
let username = req.query.username;
query = { username: username }
User.find(query, function (err, users) {
  if (err) {
    // Handle errors
  } else {
    res.render('userlookup', { title: 'User Lookup', users: users });
  }
});
----

include::../see.adoc[]