mongoid-rails is the safest way to use MongoDB with Rails 3 or 4.
Add mongoid-rails to your Gemfile.
gem 'mongoid-rails'Then run bundle install.
Mongoid rails provides protection against hash-injection attacks in mongoid.
This causes things like User.create(setings: params[:settings]) to raise an exception. If
you want to create a user from parameters, you need to explicitly permit the
fields that you want to allow.
User.create(settings: params[:settings].permit(:favorite_color))This prevents an attacker from sneakily setting params[:settings][:admin] = true or similar.
This protects you against query injection attacks. It makes the following code safe:
User.where(api_token: params[:api_token])Without mongoid-rails an attacker can send ?api_token[$gt]= to guess api
tokens from your app. With mongoid-rails that will cause an exception to be
raised.
mongoid-rails is released under the MIT license. See LICENCE.MIT for details.