Anyone familiar enough with the Cassandra engine (via PHP using phpcassa lib) to know offhand whether there's a corollary to the sql-injection attack vector? If so, has anyone taken a stab at establishing best practices to thwart them? If not, would anyone like to ; )

No. The Thrift layer used by phpcassa is an rpc framework, not based on string parsing.

An update - Cassandra v0.8 introduced CQL, which might have brought with it the possibility of injection attacks. However:

Prepared statements were then introduced in Cassandra v1.1.0, which help to prevent such attacks.

Furthermore, see this posting which explains features of CQL that make it resistant to injection, including:

• each CQL query must contain exactly one statement
• as a rule of thumb, there are also no statement types that contain other statements, which would be another common vector for an injection.