TinyDB
A document-oriented database written in pure Python, you will need to download and install it using the pip command
Install
pip # Python’s package manager
install # A command to download and install libraries from PyPI (Python Package Index
tinydb # a lightweight Python NoSQL database library
pip install tinydbCreate a Database
The TinyDB() function is used to connect to the local database or create a new one if the file does not exist
from tinydb import TinyDB # Import the TinyDB class from the tinydb module
db = TinyDB(‘database.json’) # Create (or open) a TinyDB database stored in a JSON file named ‘database.json’, if the file doesn’t exist, TinyDB will create it automatically
from tinydb import TinyDB
db = TinyDB('database.json')List All Tables
You can list all tables using the .table() method, you do need to have data inside the table, otherwise it won’t be shown
from tinydb import TinyDB # Import the TinyDB class from the tinydb module
db = TinyDB(‘database.json’) # Create (or open) a TinyDB database stored in a JSON file named ‘database.json’, if the file doesn’t exist, TinyDB will create it automatically
db.tables() # List all tables in the TinyDB database
from tinydb import TinyDB
db = TinyDB('database.json')
db.tables()Output
{'_default'}Create a Table
Tinydb supports tables (You do not need to use them), to create a table use the .table() method
from tinydb import TinyDB # Import the TinyDB class from the tinydb module
db = TinyDB(‘database.json’) # Create (or open) a TinyDB database stored in a JSON file named ‘database.json’, if the file doesn’t exist, TinyDB will create it automatically
table = db.table(‘users’) # Access (or create if it doesn’t exist) a table named ‘users’ in the TinyDB database
from tinydb import TinyDB
db = TinyDB('database.json')
table = db.table('users')Delete Table
You can delete all the data within a database using the .drop_table() method
from tinydb import TinyDB # Import the TinyDB class from the tinydb module
db = TinyDB(‘database.json’) # Create (or open) a TinyDB database stored in a JSON file named ‘database.json’, if the file doesn’t exist, TinyDB will create it automatically
db.drop_table(‘users’) # Delete the entire table named ‘users’ from the TinyDB database
print(db.tables()) # Show all tables
from tinydb import TinyDB
db = TinyDB('database.json')
db.drop_table('users')
print(db.tables())Output
{'_default'}Insert Data
To add new data, use the .insert() method
from tinydb import TinyDB # Import the TinyDB class from the tinydb module
db = TinyDB(‘database.json’) # Create (or open) a TinyDB database stored in a JSON file named ‘database.json’, if the file doesn’t exist, TinyDB will create it automatically
db.drop_table(‘users’) # Delete the entire table named ‘users’ from the TinyDB database
table = db.table(‘users’) # Access (or create if it doesn’t exist) a table named ‘users’ in the TinyDB database
table.insert({“id”: 1,”user”: “john”,”hash”: “e66860546f18”}) # Insert a new record (dictionary) into the ‘users’ table
table.insert({“id”: 2,”user”: “jane”,”hash”: “cdbbcd86b35e”, “car”:”ford”}) # Insert a new record (dictionary) into the ‘users’ table
from tinydb import TinyDB
db = TinyDB('database.json')
db.drop_table('users')
table = db.table('users')
table.insert({"id": 1,"user": "john","hash": "e66860546f18"})
table.insert({"id": 2,"user": "jane","hash": "cdbbcd86b35e", "car":"ford"})Output
Fetching Results
To fetch items from the database, use the .all() method
from tinydb import TinyDB # Import the TinyDB class from the tinydb module
db = TinyDB(‘database.json’) # Create (or open) a TinyDB database stored in a JSON file named ‘database.json’, if the file doesn’t exist, TinyDB will create it automatically
db.drop_table(‘users’) # Delete the entire table named ‘users’ from the TinyDB database
table = db.table(‘users’) # Access (or create if it doesn’t exist) a table named ‘users’ in the TinyDB database
table.insert({“id”: 1,”user”: “john”,”hash”: “e66860546f18”}) # Insert a new record (dictionary) into the ‘users’ table
table.insert({“id”: 2,”user”: “jane”,”hash”: “cdbbcd86b35e”, “car”:”ford”}) # Insert a new record (dictionary) into the ‘users’ table
print(table.all()) # Retrieve and print all records from the ‘users’ table
from tinydb import TinyDB
db = TinyDB('database.json')
db.drop_table('users')
table = db.table('users')
table.insert({"id": 1,"user": "john","hash": "e66860546f18"})
table.insert({"id": 2,"user": "jane","hash": "cdbbcd86b35e", "car":"ford"})
print(table.all())Output
[{'id': 1, 'user': 'john', 'hash': 'e66860546f18'}, {'id': 2, 'user': 'jane', 'hash': 'cdbbcd86b35e', 'car': 'ford'}]Find Data
You can fetch a specific data using the .search() method
from tinydb import TinyDB # Import the TinyDB class from the tinydb module
db = TinyDB(‘database.json’) # Create (or open) a TinyDB database stored in a JSON file named ‘database.json’, if the file doesn’t exist, TinyDB will create it automatically
db.drop_table(‘users’) # Delete the entire table named ‘users’ from the TinyDB database
table = db.table(‘users’) # Access (or create if it doesn’t exist) a table named ‘users’ in the TinyDB database
table.insert({“id”: 1,”user”: “john”,”hash”: “e66860546f18”}) # Insert a new record (dictionary) into the ‘users’ table
table.insert({“id”: 2,”user”: “jane”,”hash”: “cdbbcd86b35e”, “car”:”ford”}) # Insert a new record (dictionary) into the ‘users’ table
results = table.search(where(‘user’) == ‘jane’) # Search the ‘users’ table for all records where the ‘user’ field equals ‘jane’
print(results) # Print the list of matching records
from tinydb import TinyDB, where
db = TinyDB('database.json')
db.drop_table('users')
table = db.table('users')
table.insert({"id": 1,"user": "john","hash": "e66860546f18"})
table.insert({"id": 2,"user": "jane","hash": "cdbbcd86b35e", "car":"ford"})
results = table.search(where('user') == 'jane')
print(results)Output
[{'id': 2, 'user': 'jane', 'hash': 'cdbbcd86b35e', 'car': 'ford'}]Update Data
You can update data by using the .update() method
from tinydb import TinyDB # Import the TinyDB class from the tinydb module
db = TinyDB(‘database.json’) # Create (or open) a TinyDB database stored in a JSON file named ‘database.json’, if the file doesn’t exist, TinyDB will create it automatically
db.drop_table(‘users’) # Delete the entire table named ‘users’ from the TinyDB database
table = db.table(‘users’) # Access (or create if it doesn’t exist) a table named ‘users’ in the TinyDB database
table.insert({“id”: 1,”user”: “john”,”hash”: “e66860546f18”}) # Insert a new record (dictionary) into the ‘users’ table
table.insert({“id”: 2,”user”: “jane”,”hash”: “cdbbcd86b35e”, “car”:”ford”}) # Insert a new record (dictionary) into the ‘users’ table
table.update({‘car’: ‘jeep’}, where(‘user’) == ‘jane’) # Update all records in the ‘users’ table where ‘user’ is ‘jane’, change the field ‘car’ with value ‘jeep’
print(table.all()) # Retrieve and print all records from the ‘users’ table
from tinydb import TinyDB, where
db = TinyDB('database.json')
db.drop_table('users')
table = db.table('users')
table.insert({"id": 1,"user": "john","hash": "e66860546f18"})
table.insert({"id": 2,"user": "jane","hash": "cdbbcd86b35e", "car":"ford"})
table.update({'car': 'jeep'}, where('user') == 'jane')
print(table.all())Output
[{'id': 1, 'user': 'john', 'hash': 'e66860546f18'}, {'id': 2, 'user': 'jane', 'hash': 'cdbbcd86b35e', 'car': 'jeep'}]Delete Specific Data
You can delete data by using the .remove() method
from tinydb import TinyDB # Import the TinyDB class from the tinydb module
db = TinyDB(‘database.json’) # Create (or open) a TinyDB database stored in a JSON file named ‘database.json’, if the file doesn’t exist, TinyDB will create it automatically
db.drop_table(‘users’) # Delete the entire table named ‘users’ from the TinyDB database
table = db.table(‘users’) # Access (or create if it doesn’t exist) a table named ‘users’ in the TinyDB database
table.insert({“id”: 1,”user”: “john”,”hash”: “e66860546f18”}) # Insert a new record (dictionary) into the ‘users’ table
table.insert({“id”: 2,”user”: “jane”,”hash”: “cdbbcd86b35e”, “car”:”ford”}) # Insert a new record (dictionary) into the ‘users’ table
table.remove(where(‘user’) == ‘jane’ # Remove all records in the ‘users’ table where ‘user’ is ‘jane’
print(table.all()) # Retrieve and print all records from the ‘users’ table
from tinydb import TinyDB, where
db = TinyDB('database.json')
db.drop_table('users')
table = db.table('users')
table.insert({"id": 1,"user": "john","hash": "e66860546f18"})
table.insert({"id": 2,"user": "jane","hash": "cdbbcd86b35e", "car":"ford"})
table.remove(where('user') == 'jane')
print(table.all())Output
[{'id': 1, 'user': 'john', 'hash': 'e66860546f18'}]Delete All Data
You can delete all the data within a database using the .drop_table() method
from tinydb import TinyDB # Import the TinyDB class from the tinydb module
db = TinyDB(‘database.json’) # Create (or open) a TinyDB database stored in a JSON file named ‘database.json’, if the file doesn’t exist, TinyDB will create it automatically
db.drop_table(‘users’) # Delete the entire table named ‘users’ from the TinyDB database
print(db.tables()) # Retrieve and print all tables
from tinydb import TinyDB
db = TinyDB('database.json')
db.drop_table('users')
print(db.tables())Output
{'_default'}User Input (NoSQL Injection)
A threat actor can construct a malicious query and use it to perform an authorized action
rom tinydb import TinyDB # Import the TinyDB class from the tinydb module
temp_user = input(“Enter username: “) # Prompt the user to enter a username
temp_hash = input(“Enter password: “) # Prompt the user to enter a password (Usually, there will be a function to hash the password, it’s removed from here)
db = TinyDB(‘database.json’) # Create (or open) a TinyDB database stored in a JSON file named ‘database.json’, if the file doesn’t exist, TinyDB will create it automatically
db.drop_table(‘users’) # Delete the entire table named ‘users’ from the TinyDB database
table = db.table(‘users’) # Access (or create if it doesn’t exist) a table named ‘users’ in the TinyDB database
table.insert({“id”: 1,”user”: “john”,”hash”: “e66860546f18”}) # Insert a new record (dictionary) into the ‘users’ table
table.insert({“id”: 2,”user”: “jane”,”hash”: “cdbbcd86b35e”, “car”:”ford”}) # Insert a new record (dictionary) into the ‘users’ table
if len(temp_hash) == 12: # Check if hash value length is 12
results = table.search(Query().user.search(temp_user) & Query().hash.search(temp_hash)) # Search the table for records where the ‘user’ field matches temp_user and the ‘hash’ field matches temp_hash using regex search
print(results) # Print all results
from tinydb import TinyDB, Query
temp_user = input("Enter username: ")
temp_hash = input("Enter password: ")
db = TinyDB('database.json')
db.drop_table('users')
table = db.table('users')
table.insert({"id": 1,"user": "john","hash": "e66860546f18"})
table.insert({"id": 2,"user": "jane","hash": "cdbbcd86b35e", "car":"ford"})
if len(temp_hash) == 12:
results = table.search(Query().user.search(temp_user) & Query().hash.search(temp_hash))
print(results)Malicious statement
If a user enters [a-zA-Z0-9]+ for the username and any password, it will pass the length check, then the users john and jane will be triggered by the regex pattern (When TinyDB evaluates Query().user.search(temp_user), it’s not searching literally for [a-zA-Z0-9]+, Instead, it treats that as a regex pattern, which will match any username composed of letters/numbers.)
[a-zA-Z0-9]+ detects on john -> True, retrieve this user
[a-zA-Z0-9]+ detects on jane -> True, retrieve this userOutput
[{'id': 1, 'user': 'john', 'hash': 'e66860546f18'}, {'id': 2, 'user': 'jane', 'hash': 'cdbbcd86b35e', 'car': 'ford'}]