nate,

that is not relevant. cql is a text query that gets parsed. without parameters you have to build the query by string concatenation. if i give you a string which contains a single quote, unless you have written your app to escape that quote, i can force a corrupted query on you that does something else. .. cql injection attacks

- Stephen
---
Sent from my Android phone, so random spelling mistakes, random nonsense words and other nonsense are a direct result of using swype to type on the screen

On 30 Jun 2011 20:20, "Nate McCall" <nate@datastax.com> wrote:
> The CQL drivers are all still sitting on top of the execute_cql_query
> Thrift API method for now.
>
> On Wed, Jun 29, 2011 at 2:12 PM, <dnallsopp@taz.qinetiq.com> wrote:
>>
>> Someone asked a while ago whether Cassandra was vulnerable to injection attacks:
>>
>> http://stackoverflow.com/questions/5998838/nosql-injection-php-phpcassa-cassandra
>>
>> With Thrift, the answer was 'no'.
>>
>> With CQL, presumably the situation is different, at least until prepared
>> statements are possible (CASSANDRA-2475) ?
>>
>> Has there been any discussion on this already that someone could point me to,
>> please? I couldn't see anything on JIRA (searching for CQL AND injection, CQL
>> AND security, etc).
>>
>> Thanks.
>>
>> ----------------------------------------------------------------
>> This message was sent using IMP, the Internet Messaging Program.
>>
>> This email and any attachments to it may be confidential and are
>> intended solely for the use of the individual to whom it is addressed.
>> If you are not the intended recipient of this email, you must neither
>> take any action based upon its contents, nor copy or show it to anyone.
>> Please contact the sender if you believe you have received this email in
>> error. QinetiQ may monitor email traffic data and also the content of
>> email for the purposes of security. QinetiQ Limited (Registered in
>> England & Wales: Company Number: 3796233) Registered office: Cody Technology
>> Park, Ively Road, Farnborough, Hampshire, GU14 0LX http://www.qinetiq.com.
>>