I don't think it really makes a difference, but if I HAD to choose an
answer, I'd say having them on the pages. Clients can't see either one, so
why does it make a difference?
If you have the account information as part of the datasource, then ANY cf
page that wants to connect to the database can do so. Malicious users could
hack into your system and submit a .cfm page to be executed by your sever,
connect to the database, and do what they want.
If you have the account information as part of the page and NOT the
datasource, then it doesn't matter if they submit a .cfm page to be
executed. They would not be able to connect to the database by just using
the datasource name.
These are just observations as not "real world applications" - I've never
tested it.
-----Original Message-----
From: Robert M. Saxon, Jr. [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, April 18, 2000 1:54 PM
To: Cf-Talk
Subject: Which is more secure?
I have a datasource with a username and password to connect to SQL Server 7
from CF 4.01. Is it more secure to include the username and password as part
of the datasource (in CF Administrator) or to pass it with each cfquery?
----------------------------------------------------------------------------
--
Archives: http://www.eGroups.com/list/cf-talk
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.
------------------------------------------------------------------------------
Archives: http://www.eGroups.com/list/cf-talk
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
