On Sat, 2011-07-02 at 19:17 +0100, dnalls...@taz.qinetiq.com wrote: > Just to illustrate; the typical injection pattern is: > > String user = getUserName() > String cql = "select * from users where KEY='"+user+"';" > execute_cql(cql) > > Now, if the user string is obtained from an external source (e.g. web > form or > other UI), then the attacker may enter a username of: > > jsmith'; DROP COLUMNFAMILY 'users > > which results in a CQL query of: > > select * from users where KEY='jsmith'; DROP COLUMNFAMILY 'users';
No, each CQL query must contain exactly one statement, so this sort of attack would not work. And, as a rule of thumb, there are also no statement types that contain other statements, which would be another common vector for an injection. Now, there are batch statements for INSERT and UPDATE that are essentially a collection of statements for that type. That's probably enough to say that, hypothetically speaking, it's possible in the presence of an extremely buggy driver implementation, and some very sloppy client code, for a clever attacker to create a new record (or overwrite an existing one). TTBMK, there are currently no drivers with bugs that egregious, so make use of the driver's parameter substitution, sanitize your input, and you shouldn't have anything to worry about (there is almost certainly less risk of an injection attack than with SQL). -- Eric Evans eev...@rackspace.com
