Sushant's answer is not correct. You need to be aware of NoSQL injection in MongoDB.
Example (taken from here)
User.findOne({"name" : req.params.name, "password" : req.params.password}, callback); If req.params.password is { $ne: 1 }, the user will be retrieved without knowing the password ($ne means not equals 1).
MongoDB Driver
You can use mongo-sanitize:
It will strip out any keys that start with '$' in the input, so you can pass it to MongoDB without worrying about malicious users overwriting.
var sanitize = require('mongo-sanitize');var name = sanitize(req.params.name);var password = sanitize(req.params.password);User.findOne({"name" : name, "password" : password}, callback); Mongoose Driver
As it follows a schema, if the password is a string field, it will convert the object { $ne: 1 } to string and no damage will be done. In this case, you don't need to sanitize, just remember to set a proper schema.
