I am working on a Node.js application and I am passing
As a client program assembles a query in MongoDB, it builds a BSON object, not a string. Thus traditional SQL injection attacks are not a problem.
For details follow the documentation
Avoid expression like
eval which can execute arbitrary JS. If you are taking input from user and running
eval like expressions without cleaning the input you can screw up. As pointed by JoBu1324, operations like
group permit to execute JS expressions directly.