> Basically, this is why I've never set usernames and passwords as > client variables. However, not allowing SELECTs would stop anyone > from stealing them in this manner. I just always figured that > restricting SQL operations would also restrict CF from SELECTing, and > UPDATEing. But some testing shows it doesn't affect CF in writing or > accessing client variables.
I wold still avoid setting either username or password as client variables personally... and tend to hash() passwords as they're going into the db also. For that matter, if I wanted to be particularly strict about security, I would hash the usernames also, :) since I never display the usernames. ( i.e. like AOL/AIM's login with your screenname that's readily available to everyone. ) Isaac Dealey www.turnkey.to 954-776-0046 ______________________________________________________________________ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
