>>If someone were able to hack into ftp though, what would it matter if
>>they had the username and password? They wouldn't need it if it were
>>set up in CF Administrator. They could just build a query right there
>>and run it. So it still seems to me that you would be safer hard
>>coding it since:
Not sure I follow this?! How are they going to run a query against the db
using ftp?
>A. You wouldn't be able to access the database without actually
>seeing the source files.
Not necessarily true. Lets say you have a cfm page called test.cfm that
recieves an id via a url param and then selects data from it using select *
from <table> where id= #id#. If I knew the name of one of your tables (or
guessed it). I could alter the url to read
test.cfm?id=16;%20DELETE%20FROM%20Customers
If the username you have has permissions to delete recs from a table called
customers then your tables will be wiped. This is a "feature" of ODBC 2 in
that it allows you to run multiple SQL statements by seperating them with a
semi-colon. This is one reason why you should really hold all sql queries
within the server (assuming you are using SQL or Oracle) and not embed any
SQL code into your pages, let alone the username and password
Anyway I digress - It must be more secure to hold the password in one place
within the DSN than put it in every page, as text, where you are running
queries.
-----Original Message-----
From: Bud [mailto:[EMAIL PROTECTED]]
Sent: 06 June 2001 15:30
To: CF-Talk
Subject: RE: Which SQL ODBC Login method?
On 6/6/01, Mark Warrick penned:
>My opinion is that using the CF Administrator to setup the username and
>password is the most secure way to do this for the very reason you pointed
>out - people might be able to crack open the code and get that username and
>password. You should be worried about other people on your shared box, not
>the administrator.
>
>You have to assume that your system administrators aren't going to steal
>your secrets. Besides, they don't need your username and password. They
>can access all the databases on the SQL server anyway.
I'm the system administrator so I'm not worried about me. :) I'm more
worried about anyone on the same box being able to query the
datasource. Not that I have many people to worry about. Most of the
CF sites I'm hosting were built by me and the owners wouldn't know a
query from a hole in the head. :)
If someone were able to hack into ftp though, what would it matter if
they had the username and password? They wouldn't need it if it were
set up in CF Administrator. They could just build a query right there
and run it. So it still seems to me that you would be safer hard
coding it since:
A. You wouldn't be able to access the database without actually
seeing the source files.
B. If you can get in to see the source files, then you could just do
what you want from there anyway.
--
Bud Schneehagen - Tropical Web Creations
_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/
ColdFusion Solutions / eCommerce Development
[EMAIL PROTECTED]
http://www.twcreations.com/
954.721.3452
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
