Return-Path: Delivered-To: apmail-cassandra-dev-archive@www.apache.org Received: (qmail 77985 invoked from network); 29 Mar 2011 14:55:19 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 29 Mar 2011 14:55:19 -0000 Received: (qmail 99669 invoked by uid 500); 29 Mar 2011 14:55:18 -0000 Delivered-To: apmail-cassandra-dev-archive@cassandra.apache.org Received: (qmail 99554 invoked by uid 500); 29 Mar 2011 14:55:18 -0000 Mailing-List: contact dev-help@cassandra.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cassandra.apache.org Delivered-To: mailing list dev@cassandra.apache.org Received: (qmail 99539 invoked by uid 99); 29 Mar 2011 14:55:18 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 29 Mar 2011 14:55:18 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,SPF_PASS,T_TO_NO_BRKTS_FREEMAIL X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of jbellis@gmail.com designates 74.125.82.44 as permitted sender) Received: from [74.125.82.44] (HELO mail-ww0-f44.google.com) (74.125.82.44) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 29 Mar 2011 14:55:12 +0000 Received: by wwa36 with SMTP id 36so248240wwa.25 for ; Tue, 29 Mar 2011 07:54:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type:content-transfer-encoding; bh=mbsKoacgQX7ydOnBAZkKgGxDFlI+h9fgLFK+ov7W6Ug=; b=XBnyOH9UixD7cvHHBZoPlpUT1hbf3Mu6P+YRXaCun/kTOxEbRpDwIah45HwZu3d3h2 sVd0nWOZYYamOd46FVlrJI+uA6DfszOumdXthiXCI2iOpabl+wYwKYJuKl9fh2NXSLIi Hc2q60MZ8CPc/HgsFMDLDOTJvdFtI4xxvSsU8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; b=CSMOTae89f1eSv3hC5fBfa5nwTiWRpTJP1WWC0ztxLkg1EtVgykTnWvKYY3Q7C5QK6 sxqxfqRpUFHp6JGcMp490qRryjzIcMqzwxH8t6AdG6P/bxX7e6shouG8DCDlJYuxNbML 06h/lx2uwrdLoglggajEXZMMuD110y6pIaC9s= Received: by 10.216.60.209 with SMTP id u59mr4190077wec.59.1301410492111; Tue, 29 Mar 2011 07:54:52 -0700 (PDT) MIME-Version: 1.0 Received: by 10.216.54.139 with HTTP; Tue, 29 Mar 2011 07:54:32 -0700 (PDT) In-Reply-To: References:

From: Jonathan Ellis Date: Tue, 29 Mar 2011 09:54:32 -0500 Message-ID: Subject: Re: PHP Cassandra CQL driver To: dev@cassandra.apache.org Cc: Courtney Robinson , client-dev@cassandra.apache.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Virus-Checked: Checked by ClamAV on apache.org On Tue, Mar 29, 2011 at 9:41 AM, Courtney Robinson wrote= : > My suggestion as a means of heavily mitigating the damage of these attack= s would be to only permit a single query at a time (i.e. remove the ';' tok= en). Only trusted, administrative client applications (e.g. a GUI or consol= e) should really permit issuing multiple queries like this. Such clients co= uld decompose the queries in to separate queries and issue them individuall= y. +1. ; should only be used to let an interactive interface to know "that's the end of my query." --=20 Jonathan Ellis Project Chair, Apache Cassandra co-founder of DataStax, the source for professional Cassandra support http://www.datastax.com