Using Query String Parameters in Mongoose

Oct 8, 2021

Mongoose's Model.find() function is an important method to understand. You may call it without any arguments and it will return all the documents in that model. You can pass in a filter which tells Mongoose what to look for in the database. This filter may be an objectId or an object. When using Model.find(), you should explicitly list the parameters you are searching for in the model. This is important when pulling filter parameters from a query string.

const testSchema = new mongoose.Schema({
  name: String,
  location: String

const obj = { name: 'Mastering JS', location: 'Florida' };

// In request handler
await Model.find({ firstName: req.query.firstName });

Model.find() with an empty object

Model.find()'s default behavior is that it will return all documents in the model, so if none of the properties passed exist, you will instead get back all the documents.

// Do **not** do this! `req.query` may be an empty object,
// in which case the query will return **every** document.
await Model.find(req.query);


Mongoose 6 introduces a new sanitizeFilter option that defends against query selector injection attacks. It simply wraps the filter in a $eq tag, which prevents query selector injection attacks.

Using sanitizeFilter is especially important if you're using Express. Express can parse objects from query strings by default, and Express query strings are the use case that inspired the original blog post on query selector injections.

// With `sanitizeFilter`, Mongoose converts the below query to
// `{ email, hashedPassword: { $eq: { $ne: null } } }`
const user = await User.find({ email: '', hashedPassword: { $ne: null } }).setOptions({ sanitizeFilter: true });

Want to become your team's MongoDB expert? "Mastering Mongoose" distills 8 years of hard-earned lessons building Mongoose apps at scale into 153 pages. That means you can learn what you need to know to build production-ready full-stack apps with Node.js and MongoDB in a few days. Get your copy!

Did you find this tutorial useful? Say thanks by starring our repo on GitHub!

More Mongoose Tutorials