One of the most common questions non-users ask is “Why should I use MongoDB?”
There are a bunch of fancy answers: you can scale it (webscale!), you can use it for MapReduce, you can store files in it. Those things are all true, but every database worth its salt can scale (there are MySQL clusters with tens of thousands of nodes), every new-ish database I know of supports MapReduce, and filesystems are pretty good at storing files.
I think the reason is much simpler:
MongoDB gets out of your way.
For example, a user (on IRC) asked, “How do I store a form’s data in MongoDB?” Based on the question, I assumed he was using PHP, so I pasted the following three lines:
$m = new Mongo(); $m->test->formResults->insert($_POST); print_r($m->test->formResults->findOne());
“Hey, it works!” he said.
(For those of you not familiar with MongoDB (or PHP), this stores and retrieves everything in the POST request and can be run with no prior database setup.*)
So, all of the bells and whistles are nice, but I think the real benefit is the simplicity. MongoDB is the scripting language of databases: you can just get stuff done, fast.
In this spirit, 10gen’s first monthly blogging contest topic was to write about something you developed quickly using MongoDB. The entries were cool: people built really interesting applications ridiculously fast.
Some of my favorites entries were:
- BugRocket’s Rapid(-ish) Development
Ryan Funduk wrote about creating a bug tracker.
“Without MongoDB, I would have easily racked up over a thousand database migrations.”
- The Birth of Mojology
Gergely Nagy built an open source application for viewing and doing statistics on syslog messages.
“About four hours [after installing MongoDB], I posted the first version of my mongodb destination driver to the syslog-ng mailing list.”
- From 0 to 1 Million in 6 Hours
Bradley Grzesiak wrote about programming VoiceRally.
“Friday, the day after VoiceRally was written, we sent over 1.5 million WebSocket messages.”
- Family Spoon and MongoDB
Tom Maiaroto writes about creating a recipe website.
“Yes, you need to be aware of “schema” and you can’t go hog wild, but you also get more forgiveness and MongoDB works with you to solve your problems. It’s very flexible. It’s not something that you need to work around, it’s something that you get to work with. Anytime that you have a situation like that as a developer, your day is going to be much more happy and productive.”
Check out the other entries, as well. It’s too bad we can only choose one to win!
This month, we’re asking people to write about an open source app using MongoDB and the prize is an iPad2!
Edited to add: some of the commenters are upset about my advice to store
$_POST in MongoDB. You should not store any user input unsanitized. For people familiar with SQL, the code above does not allow a traditional injection attack with MongoDB (as it would with SQL). After the first flush of success, I told the guy to not do it this way and to go read the documentation. Inserting
$_POST was a learning tool, not a solution, and I tried to make that clear over IRC, if not in this post.
26 thoughts on “The Scripting Language of Databases”
nice security man
Authentication is optional, you can turn it on. I had the feeling he wasn’t in production, yet.
you dont need auth. just restrict your firewall and your mongodb instance will be more secure than if it did have auth turned on because nothing can touch it besides the machines you allow
Okay, what about data verification? What about sanitizing your data?
well thats a no brainer but wasn’t what i was talking about. obviously you dont just take a $_POST array and put it into your db (even though you cant really damage mongo because it doesn’t run traditional queries). the post was obviously giving the bare bones code to get you inserting with mongo
Uh… you’re still using queries. That’s like saying that because you’re riding a motorcycle instead of a car, you can’t get into accidents because it only has two wheels.
Who cares if they’re not SQL queries? You’re still communicating with another process that may have security holes, like every other piece of software.
read the sentence before that. im not condoning that practice but just stated that im not aware of any type of sql injection with mongo. http://www.mongodb.org/display/DOCS/Do+I+Have+to+Worry+About+SQL+Injection
I saw a couple of issues that the devs have pointed out in this mailing list thread that’s linked on the bottom: http://groups.google.com/group/mongodb-user/browse_thread/thread/b4ef57912cbf09d7
What if my language of choice doesn’t deal with the null character? What if a developer decided to create a function call “the wrong way”? Also, it seems terribly foolish to put the burden on the data store – this blog post is telling devs to stop caring about security. Bad idea.
for the 3rd time, im not condoning the practice. i just stated that i didn’t know of any type of injection possible with mongodb.
> this blog post is telling devs to stop caring about security.
Uh… no. Look, I should always mention any security implications of any code I put in my blog (and you can bet I’ll be more careful to do so in the future) but I generally assume a basic level of competence in my readers. The code sample above was supposed to be like the blocks you play with to learn basic math: they help you understand that 1+1=2, but you’re not going to take them to college (into production) with you.
You’re being disingenuous, mainly with this line:
“MongoDB gets the hell out of your way”
Same with MySQL given a decent ORM.
But once you start throwing in the little details, like sanitizing your data, then MongoDB/MySQL/flat files don’t just get the hell out of your way, no? You have to live with your decision and its issues.
I’m not trying to be. This is just what I’ve heard from users. MongoDB isn’t perfect, but a lot of people like it because it’s so easy to develop with.
Good thing you’re not doing a find(), as that is vulnerable to ‘injection’ if you blindly jam arbitrary user data into it. User data should never be trusted and blindly used to either store or fetch data from any datastore, mongoDB included.
Pretty sure this is the worst idea ever
Blindly inserting data into a datastore
What is the concern? Storing sensitive data? SQL injection (which is not relevant with this type of datastore)?
The concern is breeding shitty development practices. Easy != best.
See my “edited to add.” The point was that, in three lines, he could understand how MongoDB stores data. After he understood, I told him not to do it this way.
Holy cow. No. Just…. no.
They’d discover that and put it in regular practice even if you didn’t. How did you assume they were using PHP though?
As they hadn’t phrased the question it in terms of code, I assumed they were looking at an HTML form and embedding a script into it. There are a bunch of languages you can do that with, but PHP is a popular one.
Hey Kristina, thanks for mentioning our post here!
It’s too bad you mostly caught flak for the `insert->($_POST)` bit… I think your larger point was spot-on and was definitely a huge part of our decision to use MongoDB at Bugrocket. In the early stages (say, in a conversation in IRC :)) it’s really useful to be able to just throw data around, get it in the database and experiment.
No problem! I really enjoyed your post, I love development like that (the “throw everything at the wall and see what sticks” design pattern 🙂 ).
Thanks for the support! Don’t worry about the critics, I’m pretty sure they’re mostly SQL devs (where inserting an unsanitized $_POST would be a terrible idea!) and I doubt they understand how this works with MongoDB. They all came from a guy with 3000 followers who hates MongoDB, so there’s a definite slant to their opinions.
According me MySQL is best Scripting Language of Databases. In the absolutely managed infrastructure, ITS owns, manages, and supports the MySQL accouterments and software resources.
toshiba direct coupon code
Mnogo poydrava iy Beograda