I'm playing with Masashi Umezawa's PunQLite wrapper for unQLite. UnQLite provides both a key-value store and, interestingly, a JSON document store based on an embedded programming language named Jx9.

Here's an example Jx9 program:

if (db_exists("students")) {
  db_drop_collection("students");
}
db_create("students");
$s = { name: "james", age: 26 };
db_store("students", $s); 
$sid = $s.__id;

And here's Smalltalk code to execute the above Jx9 program:

| j db |

j := '...'. "Above Jx9 program."

db := PqDatabase openOnMemory.
[   db jx9Do: [ :exe |
        exe compile: j.
        exe execute.
        Transcript show: exe @ 'sid' asString; cr ]
] ensure: [ db close ]

PunQLite supports extracting values from an executed Jx9 program, as in "exe @ 'sid'" above. PunQLite currently does not support UnQLite's APIs for exchanging JSON objects between Smalltalk and an Jx9 program which provide functionality similar to parameter binding in SQL APIs. That means Jx9 programs, including data to be stored, has to be constructed from strings... As OWASP says about NoSQL injection:

Because these NoSQL injection attacks may execute within a procedural
language, rather than in the declarative SQL language, the potential
impacts are greater than traditional SQL injection. 

Tags: NoSQL, security