On 7/25/02, Stacy Young penned: >Sorry Bud but I'm lost dude...restrict INSERT at the CFADMIN level on the >client datasource?
Hi Stacy. Hey! A response to the actual thread. :) Yes. If you know the datasource name of a client storage database, it can be queried and updated just like any other datasource. If you restrict SQL operations to INSERT or Stored Procedures, you won't be able to do this. The only reason I would select one of those restrictions is there isn't an option to deny "ALL" SQL operations. The scenario I'm worried about is this: 1: I build an application that uses a login. 2: I set client.user = "someuser" and client.password = "mypassword" and set the application name to "mydomain_userinfo". 3: Someone knows the datasource name. They query the datasource: SELECT app,data FROM CDATA 4: They output the query looking for possible username, password combinations. If I use the sample above and use "user" and "password" as the client variable names, this would be easy. 5: They now know the password for "someuser" is "mypassword". They look at the app field and easily guess from the name that the site is "mydomain.com". 6: They go to www.mydomain.com and login is as "someuser". Basically, this is why I've never set usernames and passwords as client variables. However, not allowing SELECTs would stop anyone from stealing them in this manner. I just always figured that restricting SQL operations would also restrict CF from SELECTing, and UPDATEing. But some testing shows it doesn't affect CF in writing or accessing client variables. My main question was, is there anything that I should be aware of that may be a problem if I did this. -- Bud Schneehagen - Tropical Web Creations _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ ColdFusion Solutions / eCommerce Development [EMAIL PROTECTED] http://www.twcreations.com/ 954.721.3452 ______________________________________________________________________ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
