Ah ok now I get it! ;-) As for whether you'd have any problems, not sure give it a whirl! Another suggestion might be to use a dedicated userid/pass for that datasource. Also I wouldn't necessarily keep users passwords in these tables...For most occasions I've found that the userid only would suffice...after a person is logged in just check for the presence of the userid in the client scope.
The easiest fix at the moment though would probably be a dedicated user/pass. Hope that helps! -----Original Message----- From: Bud [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 25, 2002 9:51 AM To: CF-Talk Subject: RE: Client Database question On 7/25/02, Stacy Young penned: >Sorry Bud but I'm lost dude...restrict INSERT at the CFADMIN level on the >client datasource? Hi Stacy. Hey! A response to the actual thread. :) Yes. If you know the datasource name of a client storage database, it can be queried and updated just like any other datasource. If you restrict SQL operations to INSERT or Stored Procedures, you won't be able to do this. The only reason I would select one of those restrictions is there isn't an option to deny "ALL" SQL operations. The scenario I'm worried about is this: 1: I build an application that uses a login. 2: I set client.user = "someuser" and client.password = "mypassword" and set the application name to "mydomain_userinfo". 3: Someone knows the datasource name. They query the datasource: SELECT app,data FROM CDATA 4: They output the query looking for possible username, password combinations. If I use the sample above and use "user" and "password" as the client variable names, this would be easy. 5: They now know the password for "someuser" is "mypassword". They look at the app field and easily guess from the name that the site is "mydomain.com". 6: They go to www.mydomain.com and login is as "someuser". Basically, this is why I've never set usernames and passwords as client variables. However, not allowing SELECTs would stop anyone from stealing them in this manner. I just always figured that restricting SQL operations would also restrict CF from SELECTing, and UPDATEing. But some testing shows it doesn't affect CF in writing or accessing client variables. My main question was, is there anything that I should be aware of that may be a problem if I did this. -- Bud Schneehagen - Tropical Web Creations _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ ColdFusion Solutions / eCommerce Development [EMAIL PROTECTED] http://www.twcreations.com/ 954.721.3452 ______________________________________________________________________ Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists