that is not relevant. cql is a text query that gets parsed. without parameters you have to build the query by string concatenation. if i give you a string which contains a single quote, unless you have written your app to escape that quote, i can force a corrupted query on you that does something else. .. cql injection attacks

- Stephen
Sent from my Android phone, so random spelling mistakes, random nonsense words and other nonsense are a direct result of using swype to type on the screen

On 30 Jun 2011 20:20, "Nate McCall" <> wrote:
> The CQL drivers are all still sitting on top of the execute_cql_query
> Thrift API method for now.
> On Wed, Jun 29, 2011 at 2:12 PM, <> wrote:
>> Someone asked a while ago whether Cassandra was vulnerable to injection attacks:
>> With Thrift, the answer was 'no'.
>> With CQL, presumably the situation is different, at least until prepared
>> statements are possible (CASSANDRA-2475) ?
>> Has there been any discussion on this already that someone could point me to,
>> please? I couldn't see anything on JIRA (searching for CQL AND injection, CQL
>> AND security, etc).
>> Thanks.
>> ----------------------------------------------------------------
>> This message was sent using IMP, the Internet Messaging Program.
>> This email and any attachments to it may be confidential and are
>> intended solely for the use of the individual to whom it is addressed.
>> If you are not the intended recipient of this email, you must neither
>> take any action based upon its contents, nor copy or show it to anyone.
>> Please contact the sender if you believe you have received this email in
>> error. QinetiQ may monitor email traffic data and also the content of
>> email for the purposes of security. QinetiQ Limited (Registered in
>> England & Wales: Company Number: 3796233) Registered office: Cody Technology
>> Park, Ively Road, Farnborough, Hampshire, GU14 0LX