nate, that is not relevant. cql is a text query that gets parsed. without parameters you have to build the query by string concatenation. if i give you a string which contains a single quote, unless you have written your app to escape that quote, i can force a corrupted query on you that does something else. .. cql injection attacks
- Stephen --- Sent from my Android phone, so random spelling mistakes, random nonsense words and other nonsense are a direct result of using swype to type on the screen On 30 Jun 2011 20:20, "Nate McCall" <n...@datastax.com> wrote: > The CQL drivers are all still sitting on top of the execute_cql_query > Thrift API method for now. > > On Wed, Jun 29, 2011 at 2:12 PM, <dnalls...@taz.qinetiq.com> wrote: >> >> Someone asked a while ago whether Cassandra was vulnerable to injection attacks: >> >> http://stackoverflow.com/questions/5998838/nosql-injection-php-phpcassa-cassandra >> >> With Thrift, the answer was 'no'. >> >> With CQL, presumably the situation is different, at least until prepared >> statements are possible (CASSANDRA-2475) ? >> >> Has there been any discussion on this already that someone could point me to, >> please? I couldn't see anything on JIRA (searching for CQL AND injection, CQL >> AND security, etc). >> >> Thanks. >> >> ---------------------------------------------------------------- >> This message was sent using IMP, the Internet Messaging Program. >> >> This email and any attachments to it may be confidential and are >> intended solely for the use of the individual to whom it is addressed. >> If you are not the intended recipient of this email, you must neither >> take any action based upon its contents, nor copy or show it to anyone. >> Please contact the sender if you believe you have received this email in >> error. QinetiQ may monitor email traffic data and also the content of >> email for the purposes of security. QinetiQ Limited (Registered in >> England & Wales: Company Number: 3796233) Registered office: Cody Technology >> Park, Ively Road, Farnborough, Hampshire, GU14 0LX http://www.qinetiq.com . >>
