> execute on packages/procs that they need.
>
> In production your db shouldn't allow any client tools to connect,
> however even if the user does connect to your db, they still have the
> same restrictions. They can only do/see what you've allowed for that
> role.
>
Then your previous statement is wrong since changing that setting in
the CF Administrator had no effect. Further, your statement implied
that it was a good practice when in fact the good practice is to
enforce things at the user level in the database.
> My issue with <cfquery> is that you are exposing your db design. It's
> alot harder to hack a db is you dont know the table and column names.
>
Please. If a person can access your database then they can get the
schema easily enough.
> As for encrypting the fuseaction, the question is why not? Users can
> start throwing errors by trying different fuseaction calls. Which in
> turn could expose too much info if you dont have a site wide error
> handler. The topic of this thread is securing cf apps. Although it may
> not be 100% necessary, it sure doesn't hurt. (minimal processing
> increase aside)
>
False senses of security hurt.
-Matt
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
