Tinh
It really does not matter.
Just put the username and password on the main page of you site. That way
it will take the fun out of hacking... :)
Jacob
At 03:17 PM 4/18/00 +0100, you wrote:
>--------------1DECCAAAEB3298A24BBA015C
>Content-Type: text/plain; charset=us-ascii
>Content-Transfer-Encoding: 7bit
>
>Jacob,
>should I ?
>
>Jacob wrote:
>
> > Jeff as a good point. But here is my defense passwords set in CF
> Administrator
> >
> > 1. We have about 10 html/cold fusion programmers. Sometimes they do weird
> > things which mess up templates. This is one less thing for them to mess up
> > on. Also, only I and another administrator have access to the CF
> > Administrator and the SQL Server properties. The programmers not do know
> > the passwords, just in case one leaves and wants revenge.
> >
> > 2. Your .cfm or .htm files are not secure. Your CF Administrator pages
> > are. We have a co-location site across country and it is possible for
> > someone at the site to open your .htm pages using notepad and get access to
> > the databases. The password is encrpyted in the ODBC settings, CF
> > Administrator, and SQL server, not on the html pages.
> >
> > Jacob
> >
> > At 05:01 PM 4/18/00 -0400, you wrote:
> > >I don't think it really makes a difference, but if I HAD to choose an
> > >answer, I'd say having them on the pages. Clients can't see either one, so
> > >why does it make a difference?
> > >
> > >If you have the account information as part of the datasource, then ANY cf
> > >page that wants to connect to the database can do so. Malicious users
> could
> > >hack into your system and submit a .cfm page to be executed by your sever,
> > >connect to the database, and do what they want.
> > >
> > >If you have the account information as part of the page and NOT the
> > >datasource, then it doesn't matter if they submit a .cfm page to be
> > >executed. They would not be able to connect to the database by just using
> > >the datasource name.
> > >
> > >These are just observations as not "real world applications" - I've never
> > >tested it.
> > >
> > >-----Original Message-----
> > >From: Robert M. Saxon, Jr. [mailto:[EMAIL PROTECTED]]
> > >Sent: Tuesday, April 18, 2000 1:54 PM
> > >To: Cf-Talk
> > >Subject: Which is more secure?
> > >
> > >
> > >I have a datasource with a username and password to connect to SQL
> Server 7
> > >from CF 4.01. Is it more secure to include the username and password
> as part
> > >of the datasource (in CF Administrator) or to pass it with each cfquery?
> > >
> > >-----------------------------------------------------------------------
> -----
> > >--
> > >Archives: http://www.eGroups.com/list/cf-talk
> > >To Unsubscribe visit
> > >http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
> > >send a message to [EMAIL PROTECTED] with 'unsubscribe' in
> > >the body.
> > >-----------------------------------------------------------------------
> -------
> > >Archives: http://www.eGroups.com/list/cf-talk
> > >To Unsubscribe visit
> > >http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
> > >send a message to [EMAIL PROTECTED] with 'unsubscribe' in
> > >the body.
> >
> >
> ------------------------------------------------------------------------------
> > Archives: http://www.eGroups.com/list/cf-talk
> > To Unsubscribe visit
> http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk
> or send a message to [EMAIL PROTECTED] with 'unsubscribe'
> in the body.
>
>--------------1DECCAAAEB3298A24BBA015C
>Content-Type: text/html; charset=us-ascii
>Content-Transfer-Encoding: 7bit
>
><!doctype html public "-//w3c//dtd html 4.0 transitional//en">
>Jacob,
>should I ?
>
>Jacob wrote:
>>Jeff as a good point. But here is my defense passwords set in CF
>>Administrator
>>
>>1. We have about 10 html/cold fusion programmers. Sometimes they do weird
>>things which mess up templates. This is one less thing for them to mess up
>>on. Also, only I and another administrator have access to the CF
>>Administrator and the SQL Server properties. The programmers not do know
>>the passwords, just in case one leaves and wants revenge.
>>
>>2. Your .cfm or .htm files are not secure. Your CF Administrator pages
>>are. We have a co-location site across country and it is possible for
>>someone at the site to open your .htm pages using notepad and get access to
>>the databases. The password is encrpyted in the ODBC settings, CF
>>Administrator, and SQL server, not on the html pages.
>>
>>Jacob
>>
>>At 05:01 PM 4/18/00 -0400, you wrote:
>> >I don't think it really makes a difference, but if I HAD to choose an
>> >answer, I'd say having them on the pages. Clients can't see either one, so
>> >why does it make a difference?
>> >
>> >If you have the account information as part of the datasource, then ANY cf
>> >page that wants to connect to the database can do so. Malicious users
>> could
>> >hack into your system and submit a .cfm page to be executed by your sever,
>> >connect to the database, and do what they want.
>> >
>> >If you have the account information as part of the page and NOT the
>> >datasource, then it doesn't matter if they submit a .cfm page to be
>> >executed. They would not be able to connect to the database by just using
>> >the datasource name.
>> >
>> >These are just observations as not "real world applications" - I've never
>> >tested it.
>> >
>> >-----Original Message-----
>> >From: Robert M. Saxon, Jr.
>> [<mailto:[EMAIL PROTECTED]>mailto:[EMAIL PROTECTED]]
>> >Sent: Tuesday, April 18, 2000 1:54 PM
>> >To: Cf-Talk
>> >Subject: Which is more secure?
>> >
>> >
>> >I have a datasource with a username and password to connect to SQL
>> Server 7
>> >from CF 4.01. Is it more secure to include the username and password as
>> part
>> >of the datasource (in CF Administrator) or to pass it with each cfquery?
>> >
>> >------------------------------------------------------------------------
>> ----
>> >--
>> >Archives:
>> <http://www.eGroups.com/list/cf-talk>http://www.eGroups.com/list/cf-talk
>> >To Unsubscribe visit
>> ><http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk
>> >http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
>> >send a message to [EMAIL PROTECTED] with 'unsubscribe' in
>> >the body.
>> >------------------------------------------------------------------------
>> ------
>> >Archives:
>> <http://www.eGroups.com/list/cf-talk>http://www.eGroups.com/list/cf-talk
>> >To Unsubscribe visit
>> ><http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk
>> >http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
>> >send a message to [EMAIL PROTECTED] with 'unsubscribe' in
>> >the body.
>>
>>--------------------------------------------------------------------------
>>----
>>Archives:
>><http://www.eGroups.com/list/cf-talk>http://www.eGroups.com/list/cf-talk
>>To Unsubscribe visit
>><http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk>h
>>ttp://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
>>send a message to [EMAIL PROTECTED] with 'unsubscribe' in
>>the body.
>
>--------------1DECCAAAEB3298A24BBA015C--
>
>
>
>__________________________________________________
>
>Do You Yahoo!?
>
>Talk to your friends online with Yahoo! Messenger.
>
>http://im.yahoo.com
>
>------------------------------------------------------------------------------
>Archives: http://www.eGroups.com/list/cf-talk
>To Unsubscribe visit
>http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
>send a message to [EMAIL PROTECTED] with 'unsubscribe' in
>the body.
------------------------------------------------------------------------------
Archives: http://www.eGroups.com/list/cf-talk
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
