Since I started this discussion, I'd like to share my takeaways 1. CFInput is more about convenience than about security 2. ValidateAt="Server" does not increase security whatsoever (this was an eye opener for me, I must admit) 3. Best practices are a guideline, a goal to work toward, and not an absolute must-have, pass/fail. 4. It is ok to pick and choose from best practices recommendations based on your specific situation.
I really appreciate everybody's thought on this. Mischa. : Sure, but I've got to ask: is that a concession to my point? :-) : (that not every app that uses CFINPUT validation would be harmed if some : bastard removed it?) : This isn't about me winning an argument, by the way. It's just that I can't : tell if you're letting it go because you think I can't be convinced (or : don't want to belabor the point), or because now that my point is clear, you : see it's not so loopy after all. :-) : If you'd say it's the former, fair enough, and don't feel compelled to make : the point. I'm sure you've plenty busy, and others may feel that the two : sides have been represented. : This was just another of my counters to the assertion that some : less-than-perfect features in CF need to be abandoned by all (CFFORM being : among those often named). I just say, that's just not so for everyone. We : just need to understand its limitations, and for that I do thank you and : others for keeping us in mind of that. : /charlie : -----Original Message----- : From: ad...@acfug.org [mailto:ad...@acfug.org] On Behalf Of Dean H. Saxe : Sent: Wednesday, March 11, 2009 11:23 AM : To: discussion@acfug.org : Subject: Re: [ACFUG Discuss] over-stating security concerns? (was RE: : ValidateAt parameter is effectively only client side ) : Of course there is no disrespect Charlie. I think we all need a big : group hug. ;-) : Dean H. Saxe, CISSP, CEH : ------------------------------------------------------------- : To unsubscribe from this list, manage your profile @ : http://www.acfug.org?fa=login.edituserform : For more info, see http://www.acfug.org/mailinglists : Archive @ http://www.mail-archive.com/discussion%40acfug.org/ : List hosted by http://www.fusionlink.com : ------------------------------------------------------------- ---------- Original Message ---------- FROM: "Charlie Arehart" <char...@carehart.org> TO: <discussion@acfug.org> DATE: Wed, 11 Mar 2009 11:52:17 -0400 SUBJECT: RE: [ACFUG Discuss] over-stating security concerns? (was RE: ValidateAt parameter is effectively only client side ) Sure, but I've got to ask: is that a concession to my point? :-) (that not every app that uses CFINPUT validation would be harmed if some bastard removed it?) This isn't about me winning an argument, by the way. It's just that I can't tell if you're letting it go because you think I can't be convinced (or don't want to belabor the point), or because now that my point is clear, you see it's not so loopy after all. :-) If you'd say it's the former, fair enough, and don't feel compelled to make the point. I'm sure you've plenty busy, and others may feel that the two sides have been represented. This was just another of my counters to the assertion that some less-than-perfect features in CF need to be abandoned by all (CFFORM being among those often named). I just say, that's just not so for everyone. We just need to understand its limitations, and for that I do thank you and others for keeping us in mind of that. /charlie -----Original Message----- From: ad...@acfug.org [mailto:ad...@acfug.org] On Behalf Of Dean H. Saxe Sent: Wednesday, March 11, 2009 11:23 AM To: discussion@acfug.org Subject: Re: [ACFUG Discuss] over-stating security concerns? (was RE: ValidateAt parameter is effectively only client side ) Of course there is no disrespect Charlie. I think we all need a big group hug. ;-) Dean H. Saxe, CISSP, CEH ------------------------------------------------------------- To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com ------------------------------------------------------------- ------------------------------------------------------------- To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -------------------------------------------------------------