no. if a user access my db, and they only have permissions to executre on packages.... thats _all_ they will see. Thats how the security works. if they try and query on a table... they get an error saying it doesnt exist. if they try and execture a procedure they dont have access to... again an error saying it doesnt exist.
By no means do I ever think an _web_ application is secure. Taking measure to do what you can is just common sense.
-adam
> -----Original Message-----
> From: Matt Liotta [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, March 23, 2004 06:04 PM
> To: 'CF-Talk'
> Subject: Re: Securing CF Apps.
>
> > No the db is locked down in the same way. Roles are only granted
> > execute on packages/procs that they need.
> >
> > In production your db shouldn't allow any client tools to connect,
> > however even if the user does connect to your db, they still have the
> > same restrictions. They can only do/see what you've allowed for that
> > role.
> >
> Then your previous statement is wrong since changing that setting in
> the CF Administrator had no effect. Further, your statement implied
> that it was a good practice when in fact the good practice is to
> enforce things at the user level in the database.
>
> > My issue with <cfquery> is that you are exposing your db design. It's
> > alot harder to hack a db is you dont know the table and column names.
> >
> Please. If a person can access your database then they can get the
> schema easily enough.
>
> > As for encrypting the fuseaction, the question is why not? Users can
> > start throwing errors by trying different fuseaction calls. Which in
> > turn could expose too much info if you dont have a site wide error
> > handler. The topic of this thread is securing cf apps. Although it may
> > not be 100% necessary, it sure doesn't hurt. (minimal processing
> > increase aside)
> >
> False senses of security hurt.
>
> -Matt
>
>
>
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
