Re: Database Security
On Tuesday 30 Jun 2009, Byte Me wrote: > the staff maintain the website. From a security standpoint, does it make > any difference if I create one database connection and call my queries as > follows or would this be more secure (three separate connections): With a single connection connecting to multiple databases, there is a greater chance a single SQL injection will be able to reach everything. -- Helping to paradigmatically revolutionize enterprise communities as part of the IT team of the year, '09 and '08 This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is available for inspection at the registered office together with a list of those non members who are referred to as partners. We use the word partner to refer to a member of the LLP, or an employee or consultant with equivalent standing and qualifications. Regulated by the Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.co ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324424 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Database Security
> I am setting up a website that will have three separate MySql databases. Db1 > is used > in the public area, db2 is used in the value added area (a visitor is > required to obtain a > username and password), and db3 is where the staff maintain the website. From > a > security standpoint, does it make any difference if I create one database > connection > and call my queries as follows: > > > > > or would this be more secure (three separate connections): > > > > Given the exact code above, the second approach would be more secure, but this doesn't really have anything to do with datasources. Instead, it's about logins - since you didn't specify a username and password in CFQUERY, you've embedded the login credentials in the datasource. The key is to use logins that have the minimal rights necessary, so that if a login is compromised (by, say, an SQL injection attack) it can't do anything beyond what it should be able to do. > Also, which way would be faster? In general, the first approach would perform better, since it could reuse existing database connections more easily. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324086 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Database Security
Fixed some syntax errors. > Anyone know the pros and cons of setting up a db connection as > described below? I could not find the info with Google. > > I am setting up a website that will have three separate MySql > databases. Db1 is used in the public area, db2 is used in the value > added area (a visitor is required to obtain a username and password), > and db3 is where the staff maintain the website. From a security > standpoint, does it make any difference if I create one database > connection and call my queries as follows: > > > > > or would this be more secure (three separate connections): > > > > > > Also, which way would be faster? > thank you > ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324085 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Database Security
Anyone know the pros and cons of setting up a db connection as described below? I could not find the info with Google. I am setting up a website that will have three separate MySql databases. Db1 is used in the public area, db2 is used in the value added area (a visitor is required to obtain a username and password), and db3 is where the staff maintain the website. From a security standpoint, does it make any difference if I create one database connection and call my queries as follows: or would this be more secure (three separate connections): Also, which way would be faster? thank you ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324084 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SQL database security/design
At 03:21 PM 4/17/2002 -0400, you wrote: >Currently each client has their own database on our sql box. >Our web manager is considering moving all clients to a single database >called >clients and use a single login from Cold Fusion to access their data. >Is this the best practice? How do the rest of you guys handle client >databases? I'm not quite sure I understand the full situation, but.. Does it matter if client1 accesses the data of client2? Based on what I am understanding, that it will be allowed. >I thought the best procedure is to give each client their own database. >Create a account with access to only their database. I would consider this a best practice. >In the CF admin datasource restrict sql operations to stored procedures >only. If you can do this, that would be great. Although many applications may require re-writes to allow for this, since many applications do not use stored procedures exclusively. -- Jeffry Houser | mailto:[EMAIL PROTECTED] Need a Web Developer? Contact me! AIM: Reboog711 | Fax / Phone: 860-223-7946 -- My Books: http://www.instantcoldfusion.com My Band: http://www.farcryfly.com __ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: SQL database security/design
That would be an absolute nightmare to keep up with, if he does infact try something like that. Sure you can allow certain access to certain tables etc through sql but when a person ads a table etc then he would have to redo hids security settings for the new table. This in my opinion would be a terrible idea and if I were hosted on the server, I would leave!!! "Success is a journey, not a destination!!" Doug Brown - Original Message - From: "Bosky, Dave" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Wednesday, April 17, 2002 12:21 PM Subject: SQL database security/design > Currently each client has their own database on our sql box. > Our web manager is considering moving all clients to a single database > called > clients and use a single login from Cold Fusion to access their data. > Is this the best practice? How do the rest of you guys handle client > databases? > > I thought the best procedure is to give each client their own database. > Create a account with access to only their database. > In the CF admin datasource restrict sql operations to stored procedures > only. > > Any input? > > > Dave > > > > > > __ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
SQL database security/design
Currently each client has their own database on our sql box. Our web manager is considering moving all clients to a single database called clients and use a single login from Cold Fusion to access their data. Is this the best practice? How do the rest of you guys handle client databases? I thought the best procedure is to give each client their own database. Create a account with access to only their database. In the CF admin datasource restrict sql operations to stored procedures only. Any input? Dave __ Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: database security
Hi Seamus Campbell, > Currently I store the database in a non-web-accessible directory on a > shared server, but that's it. This is better solution.But By putting Password also may not help much on ce mdb is obtained. Regards Nagaraj.A - Original Message - From: "Seamus Campbell" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Tuesday, January 29, 2002 3:46 AM Subject: database security > Hi > > I'm working with a database programmer (in access) who is paranoid abou t > his databases. > > He is very worried about the security of his database. > > Is there anything else I can reasonably do? (the website is being done > quite cheaply) > > I have read some articles on security but they all seem to focus on > encrypting a string rather than actually protecting the database as suc h. > > Any clues please?? > __ Get Your Own Dedicated Windows 2000 Server PIII 800 / 256 MB RAM / 40 GB HD / 20 GB MO/XFER Instant Activation · $99/Month · Free Setup http://www.pennyhost.com/redirect.cfm?adcode=coldfusionb FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: database security
If you are using Access, you are aready as secure as you can get I would think. For better security you would need to move to Oracle or SQL - or any other RDBMS with a security shell. -Original Message- From: Seamus Campbell [mailto:[EMAIL PROTECTED]] Sent: Monday, January 28, 2002 2:16 PM To: CF-Talk Subject: database security Hi I'm working with a database programmer (in access) who is paranoid about his databases. He is very worried about the security of his database. Currently I store the database in a non-web-accessible directory on a shared server, but that's it. Is there anything else I can reasonably do? (the website is being done quite cheaply) I have read some articles on security but they all seem to focus on encrypting a string rather than actually protecting the database as such. Any clues please?? _ _ Get Your Own Dedicated Windows 2000 Server PIII 800 / 256 MB RAM / 40 GB HD / 20 GB MO/XFER Instant Activation · $99/Month · Free Setup http://www.pennyhost.com/redirect.cfm?adcode=coldfusionb FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists __ Why Share? Dedicated Win 2000 Server · PIII 800 / 256 MB RAM / 40 GB HD / 20 GB MO/XFER Instant Activation · $99/Month · Free Setup http://www.pennyhost.com/redirect.cfm?adcode=coldfusionc FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: database security
With access that's about as good as you get. You can always put a password on the DB as well. But that is truly trivial to crack once you get the mdb. Jeff Garza Lead Developer/Webmaster Spectrum Astro, Inc. 480.892.8200 [EMAIL PROTECTED] http://www.spectrumastro.com -Original Message- From: Seamus Campbell [mailto:[EMAIL PROTECTED]] Sent: Monday, January 28, 2002 3:16 PM To: CF-Talk Subject: database security Hi I'm working with a database programmer (in access) who is paranoid about his databases. He is very worried about the security of his database. Currently I store the database in a non-web-accessible directory on a shared server, but that's it. Is there anything else I can reasonably do? (the website is being done quite cheaply) I have read some articles on security but they all seem to focus on encrypting a string rather than actually protecting the database as such. Any clues please?? __ Get Your Own Dedicated Windows 2000 Server PIII 800 / 256 MB RAM / 40 GB HD / 20 GB MO/XFER Instant Activation · $99/Month · Free Setup http://www.pennyhost.com/redirect.cfm?adcode=coldfusionb FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
database security
Hi I'm working with a database programmer (in access) who is paranoid about his databases. He is very worried about the security of his database. Currently I store the database in a non-web-accessible directory on a shared server, but that's it. Is there anything else I can reasonably do? (the website is being done quite cheaply) I have read some articles on security but they all seem to focus on encrypting a string rather than actually protecting the database as such. Any clues please?? __ Get Your Own Dedicated Windows 2000 Server PIII 800 / 256 MB RAM / 40 GB HD / 20 GB MO/XFER Instant Activation · $99/Month · Free Setup http://www.pennyhost.com/redirect.cfm?adcode=coldfusionb FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists