Anyone familiar enough with the Cassandra engine (via PHP using phpcassa lib) to know offhand whether there's a corollary to the sql-injection attack vector? If so, has anyone taken a stab at establishing best practices to thwart them? If not, would anyone like to ; )
No. The Thrift layer used by phpcassa is an rpc framework, not based on string parsing.
An update - Cassandra v0.8 introduced CQL, which might have brought with it the possibility of injection attacks. However:
Prepared statements were then introduced in Cassandra v1.1.0, which help to prevent such attacks.
Furthermore, see this posting which explains features of CQL that make it resistant to injection, including:
- each CQL query must contain exactly one statement
- as a rule of thumb, there are also no statement types that contain other statements, which would be another common vector for an injection.
来源:https://stackoverflow.com/questions/5998838/nosql-injection-php-phpcassa-cassandra