incubator-cassandra-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dnalls...@taz.qinetiq.com
Subject Re: CQL injection attacks?
Date Sun, 03 Jul 2011 20:23:08 GMT
Quoting Eric Evans <eevans@rackspace.com>:

> On Sat, 2011-07-02 at 19:17 +0100, dnallsopp@taz.qinetiq.com wrote:
> > Just to illustrate; the typical injection pattern is:
> > select * from users where KEY='jsmith'; DROP COLUMNFAMILY 'users';
>
> No, each CQL query must contain exactly one statement, so this sort of
> attack would not work.

Excellent, that changes the picture enormously! I guess it might be worth adding
this fact to the preamble of the documentation?

[...]

> TTBMK, there are currently no drivers with bugs that egregious, so make
> use of the driver's parameter substitution, sanitize your input, and you
> shouldn't have anything to worry about (there is almost certainly less
> risk of an injection attack than with SQL).

Thanks very much,

David.



----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

This email and any attachments to it may be confidential and are
intended solely for the use of the individual to whom it is addressed.
If you are not the intended recipient of this email, you must neither
take any action based upon its contents, nor copy or show it to anyone.
Please contact the sender if you believe you have received this email in
error. QinetiQ may monitor email traffic data and also the content of
email for the purposes of security. QinetiQ Limited (Registered in
England & Wales: Company Number: 3796233) Registered office: Cody Technology 
Park, Ively Road, Farnborough, Hampshire, GU14 0LX http://www.qinetiq.com.

Mime
View raw message