incubator-cassandra-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stephen Connolly <stephen.alan.conno...@gmail.com>
Subject Re: CQL injection attacks?
Date Fri, 01 Jul 2011 06:58:18 GMT
nate,

that is not relevant. cql is a text query that gets parsed. without
parameters you have to build the query by string concatenation. if i give
you a string which contains a single quote, unless you have written your app
to escape that quote, i can force a corrupted query on you that does
something else. .. cql injection attacks

- Stephen
---
Sent from my Android phone, so random spelling mistakes, random nonsense
words and other nonsense are a direct result of using swype to type on the
screen
On 30 Jun 2011 20:20, "Nate McCall" <nate@datastax.com> wrote:
> The CQL drivers are all still sitting on top of the execute_cql_query
> Thrift API method for now.
>
> On Wed, Jun 29, 2011 at 2:12 PM, <dnallsopp@taz.qinetiq.com> wrote:
>>
>> Someone asked a while ago whether Cassandra was vulnerable to injection
attacks:
>>
>>
http://stackoverflow.com/questions/5998838/nosql-injection-php-phpcassa-cassandra
>>
>> With Thrift, the answer was 'no'.
>>
>> With CQL, presumably the situation is different, at least until prepared
>> statements are possible (CASSANDRA-2475) ?
>>
>> Has there been any discussion on this already that someone could point me
to,
>> please? I couldn't see anything on JIRA (searching for CQL AND injection,
CQL
>> AND security, etc).
>>
>> Thanks.
>>
>> ----------------------------------------------------------------
>> This message was sent using IMP, the Internet Messaging Program.
>>
>> This email and any attachments to it may be confidential and are
>> intended solely for the use of the individual to whom it is addressed.
>> If you are not the intended recipient of this email, you must neither
>> take any action based upon its contents, nor copy or show it to anyone.
>> Please contact the sender if you believe you have received this email in
>> error. QinetiQ may monitor email traffic data and also the content of
>> email for the purposes of security. QinetiQ Limited (Registered in
>> England & Wales: Company Number: 3796233) Registered office: Cody
Technology
>> Park, Ively Road, Farnborough, Hampshire, GU14 0LX http://www.qinetiq.com
.
>>

Mime
View raw message