RE: secure way to pass variables (was RE: Securing CF Apps.)
> All this talk of ways to cracking systems has me paranoid. > > So what is the best way to pass a variable between 2 pages? > > Using SSL, encrypting/decrypting a session variable (or CFID > CFTOKEN)? If you're worried about third parties being able to view HTTP requests and responses between the client and server, use SSL. I can't see why you'd want to encrypt and decrypt session variables, since they're stored in server memory. If you're concerned that the client might be able to see values that you send to it, you might encrypt and decrypt values received from the browser, although I don't think that's especially useful. In general, if something is sensitive enough that it shouldn't be sent to the client, don't send it to the client. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ phone: 202-797-5496 fax: 202-797-5444 [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
secure way to pass variables (was RE: Securing CF Apps.)
All this talk of ways to cracking systems has me paranoid. So what is the best way to pass a variable between 2 pages? Using SSL, encrypting/decrypting a session variable (or CFID CFTOKEN)? -Original Message- From: Matt Liotta [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 24, 2004 10:52 AM To: CF-Talk Subject: Re: Securing CF Apps. > That's precisely what I'm saing. Once deployed, the schema owner is > disabled. Now of course an sa account exists, but an sa account will > exists on every db server, just as and admin account exists on every > OS. Furthermore, all client tool connections are disabled as well. The > only thing that isn't locked down is SQLPlus, with an sa account, > running from localhost. > The sa account is a schema owner. Now the part about sa access only from localhost changes everything. That practice coupled with the schema lock down is very effective. Locking down the schema while still allowing sa access from remote machines is a waste of time. > Applying uniform security settings to the CFIDE and the db aren't a > waste of time. Although some may overlap, its good practice to do > whatever possible. Wouldn't you agree that two firewalls are better > than one on a network? If the first one gets breached, then the second > one can enforce the same rules. If CF gets breached, then the db > enforces the same rules. > Certain network designs have more than one firewall whether that be physical or virtual, but each firewall protects different network segments. Having two firewalls protect the same network segment doesn't make sense. Although, I have heard arguments in favor of the practice. Seems like the law of diminishing returns applies to this practice. I believe the practice of applying driver level constraints that are already enforced by the database to be redundant and irrelevant. > If lists are such a poor outlet to spreading information, then why do > you even subscribe? It seems like you are only on this thread to > criticise. > Can you not take my statements at face value? I never stated lists are a poor outlet for spreading information. I stated that this list is not a good forum for understanding general security issues. > I look forward to you presentation on security. > See you there. -Matt _ [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: Ways to pass variables
wddx or cookie On Mon, 24 Sep 2001, Mike Tangorre wrote: > hidden form fields > > > - Original Message - > From: "Michael S. Kimmett" <[EMAIL PROTECTED]> > To: "CF-Talk" <[EMAIL PROTECTED]> > Sent: Monday, September 24, 2001 1:02 PM > Subject: Ways to pass variables > > > > Ok, one more question. I have a client that does not want variables > > passed through the URL ( security reasons ). But I am having problems > > passing a variable through a form (see previous message). Session > > variables are a not permitted on thie project. Does anyone have another > > idea on how to move variables and their values from page to page? > > > > Thanks in advance. > > > > --Michael > > > > > ~~ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Ways to pass variables
well then client vars is another way. -Original Message- From: Bruce Holm [mailto:[EMAIL PROTECTED]] Sent: Monday, September 24, 2001 1:30 PM To: CF-Talk Subject: Re: Ways to pass variables Hidden form fields can be views in the HTML page source view...so not ideal for security reasons either. It's less blatantly obvious but still viewable to prying eyes. Bruce [EMAIL PROTECTED] - Original Message - From: "Mike Tangorre" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Monday, September 24, 2001 10:23 AM Subject: Re: Ways to pass variables > hidden form fields > > > - Original Message - > From: "Michael S. Kimmett" <[EMAIL PROTECTED]> > To: "CF-Talk" <[EMAIL PROTECTED]> > Sent: Monday, September 24, 2001 1:02 PM > Subject: Ways to pass variables > > > > Ok, one more question. I have a client that does not want variables > > passed through the URL ( security reasons ). But I am having problems > > passing a variable through a form (see previous message). Session > > variables are a not permitted on thie project. Does anyone have another > > idea on how to move variables and their values from page to page? > > > > Thanks in advance. > > > > --Michael > > > > > ~~ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Ways to pass variables
good call Bruce, that thought didn't even come into mind.. :-) - Original Message - From: "Bruce Holm" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Monday, September 24, 2001 1:30 PM Subject: Re: Ways to pass variables > Hidden form fields can be views in the HTML page source view...so not ideal > for security reasons either. It's less blatantly obvious but still viewable > to prying eyes. > > Bruce > [EMAIL PROTECTED] > > - Original Message - > From: "Mike Tangorre" <[EMAIL PROTECTED]> > To: "CF-Talk" <[EMAIL PROTECTED]> > Sent: Monday, September 24, 2001 10:23 AM > Subject: Re: Ways to pass variables > > > > hidden form fields > > > > > > - Original Message - > > From: "Michael S. Kimmett" <[EMAIL PROTECTED]> > > To: "CF-Talk" <[EMAIL PROTECTED]> > > Sent: Monday, September 24, 2001 1:02 PM > > Subject: Ways to pass variables > > > > > > > Ok, one more question. I have a client that does not want variables > > > passed through the URL ( security reasons ). But I am having problems > > > passing a variable through a form (see previous message). Session > > > variables are a not permitted on thie project. Does anyone have another > > > idea on how to move variables and their values from page to page? > > > > > > Thanks in advance. > > > > > > --Michael > > > > > > > > > ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Ways to pass variables
Hidden form fields can be views in the HTML page source view...so not ideal for security reasons either. It's less blatantly obvious but still viewable to prying eyes. Bruce [EMAIL PROTECTED] - Original Message - From: "Mike Tangorre" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Monday, September 24, 2001 10:23 AM Subject: Re: Ways to pass variables > hidden form fields > > > - Original Message - > From: "Michael S. Kimmett" <[EMAIL PROTECTED]> > To: "CF-Talk" <[EMAIL PROTECTED]> > Sent: Monday, September 24, 2001 1:02 PM > Subject: Ways to pass variables > > > > Ok, one more question. I have a client that does not want variables > > passed through the URL ( security reasons ). But I am having problems > > passing a variable through a form (see previous message). Session > > variables are a not permitted on thie project. Does anyone have another > > idea on how to move variables and their values from page to page? > > > > Thanks in advance. > > > > --Michael > > > > > ~~ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Ways to pass variables
hidden form fields - Original Message - From: "Michael S. Kimmett" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Monday, September 24, 2001 1:02 PM Subject: Ways to pass variables > Ok, one more question. I have a client that does not want variables > passed through the URL ( security reasons ). But I am having problems > passing a variable through a form (see previous message). Session > variables are a not permitted on thie project. Does anyone have another > idea on how to move variables and their values from page to page? > > Thanks in advance. > > --Michael > > ~~ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Ways to pass variables
How about client variables? - Original Message - From: "Michael S. Kimmett" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Monday, September 24, 2001 12:02 PM Subject: Ways to pass variables > Ok, one more question. I have a client that does not want variables > passed through the URL ( security reasons ). But I am having problems > passing a variable through a form (see previous message). Session > variables are a not permitted on thie project. Does anyone have another > idea on how to move variables and their values from page to page? > > Thanks in advance. > > --Michael > > ~~ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Ways to pass variables
Ok, one more question. I have a client that does not want variables passed through the URL ( security reasons ). But I am having problems passing a variable through a form (see previous message). Session variables are a not permitted on thie project. Does anyone have another idea on how to move variables and their values from page to page? Thanks in advance. --Michael ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: pass variables
when you loop through the query, you only need to do it once - thats why its a called a loop...so instead of all those , try: Answer#variables.count#: Bert Dawson > -Original Message- > From: janey smith [mailto:[EMAIL PROTECTED]] > Sent: 12 July 2000 17:01 > To: [EMAIL PROTECTED] > Subject: pass variables > > > i have a problem passing variables to an edit page, it passes > the field > pol_question fine but for the answer fields my loop is > incorrect, it just > reproduces the answers 5 times each. each answer is the > ans_answer table is > related to the pol_question through the pol_id, any help would be > appreciated, > > > > > Update Poll > > > alink="#CC9966"> > > > > > SELECT pol_ID, pol_Question, pol_Category, pol_Status > FROM pol_Poll > WHERE pol_ID = #URL.PollID# > > > > SELECT ans_ID,ans_Ans > FROM ans_Answer A > WHERE ans_pol_ID = #url.PollID# > > > > > > > Poll: name="pol_question" size=40 value="#pol_question#"> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Answer1: > > > Answer2: > > > Answer3: > > > Answer4: > > > Answer5: > > > > Status: > > All > New > Active > Archive > Hide > > Category: > > All > sports > current affairs > General > > > > Yes/No > > Multiple Choice > > > > > > > > > > > __ > __ > Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com -- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
RE: pass variables
> i have a problem passing variables to an edit page, it passes the field > pol_question fine but for the answer fields my loop is incorrect, it just > reproduces the answers 5 times each. each answer is the > ans_answer table is > related to the pol_question through the pol_id, any help would be > appreciated, > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Erm, you've ASKED it to reproduce the answers multiple times You should try something like this: That'll pass through as many "Ans_IDn" as you need, and not fix it to 5 HTH Philip Arnold ASP Multimedia Limited T: +44 (0)20 8680 1133 "Websites for the real world" ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. ** -- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
Re: pass variables
>i have a problem passing variables to an edit page, it passes the field >pol_question fine but for the answer fields my loop is incorrect, it just >reproduces the answers 5 times each. each answer is the ans_answer table is >related to the pol_question through the pol_id, any help would be >appreciated It appears that your query loops are resetting the value of 'ans_Ans' & 'ans_ID' each through each iteration; therefore the value for each will end up set to the last value in the query each time. You might try using an index loop instead of a query loop, like so: This will replace all 5 of the loops in your current setup. A possible side benefit of this is that it'll create the variables for every row in the current query; of course, this might not be what you want, if your query is actually selecting a couple hundred rows... The rest of your output should remain the same. HTH Brandon Whitaker [EMAIL PROTECTED] --- "It'll get used by the same people using Opera. People dressed in black wearing berets." - Dave Watts, on Mozilla "It makes you feel so welcome to have a greeter like Papa Dave at the door. Kind of like what Wal-Mart wishes it could do." - John Allred, on Dave Watts "The net interprets censorship as damage and routes around it." - John Gilmore -- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
Re: pass variables
"janey smith" <[EMAIL PROTECTED]> > i have a problem passing variables to an edit page, it passes the field > pol_question fine but for the answer fields my loop is incorrect, it just > reproduces the answers 5 times each. each answer is the ans_answer table is > related to the pol_question through the pol_id, any help would be > appreciated. Try consolidating your code, combining the hidden vars and the input fields into a single loop. You were getting 5 answers for each loop because loops do what they are supposed to do: they loop through an entire query set. I didn't take the time to fully decipher the page you're trying to build, but you ought to be able to build it with only one or two loops and a few lines of code. Something along these lines: Answer #GetAnswers.CurrentRow#: Gene Kraybill LPW & Associates Mansfield, PA -- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
pass variables
i have a problem passing variables to an edit page, it passes the field pol_question fine but for the answer fields my loop is incorrect, it just reproduces the answers 5 times each. each answer is the ans_answer table is related to the pol_question through the pol_id, any help would be appreciated, Update Poll SELECT pol_ID, pol_Question, pol_Category, pol_Status FROM pol_Poll WHERE pol_ID = #URL.PollID# SELECT ans_ID,ans_Ans FROM ans_Answer A WHERE ans_pol_ID = #url.PollID# Poll: Answer1: Answer2: Answer3: Answer4: Answer5: Status: All New Active Archive Hide Category: All sports current affairs General Yes/No Multiple Choice Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com -- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.