I am using C# Mongodb driver to insert / update data in Mongodb. I have scanned my web api through "Qualys" and this was getting inserted in one my field called "createdOn" and I have provided sample data below.
1. Central Pacific Standard Time + (SELECT 0 FROM (SELECT
2. SLEEP(29))qsqli_1111) Central Pacific Standard Time',0,0);WAITFOR
3. DELAY'00:00:29'- |ping -c2 -i91 localhost|
Could you please me help to sort out of this issue.
Arbitrary code can potentially be injected in one of the filters (status). I suggest to implement whitelisting if you are just expecting a finite list of accepted characters
NOTE: I haven't tested the code below, but I hope you get the gist