Hey @couchbwiss and @mr_ma,
Maybe I can shed some more light on this for the two of you
The documentation you referred to is correct, but there is potentially more to it. I’ll start by explaining what that documentation means. Let’s say you have the following document in your Couchbase bucket:
name: "Nic Raboy"
Let’s use some imagination here and say that password 1234 is actually a hash. Now let’s say malicious user John Doe knows what parts of your website are updating this particular document(s). He decides to enter a JSON string into a text field that looks like the following:
In certain scenarios the two non-existing properties will be merged into the document and the existing property will be replaced. John Doe’s goal is to hit a property that he can replace so he can gain access to the account, for example changing the password.
The moral of the story here is to not accept raw data that the user adds to input fields. In the application layer you should analyze the data, maybe reconstruct a sanitized JSON object with only necessary properties, then use that.
Let’s say you’re not using NoSQL lookup queries, but instead are using N1QL. Just like with any SQL language you should be using parametrized values in your query. Although this isn’t available for PHP yet, you are able to parametrize your N1QL queries in languages like Node.js and Java.
Does this better answer your questions?