Re: [KCFusion] security question

[Adaryl Wakefield]

Ok wait. I have not thought this all the way though I think. The kind of attack was thinking of was where a hostile user taped the stream mid flow. Somehow between the end user and the server. Since the pages are encrypted with https then they (the hostile) should not be able to do anything yes? An if the bandit has the users authentication information then there really is not much you can do no? You know for a meeting idea I'd really like to hear what the big boys are doing security wise. All the books I have the security is pretty lame and basic. A. ----- Original Message ----- From: Luke Templin To: [EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 11:05 AM Subject: RE: [KCFusion] security question You may want to do everything through a stored procedure(s). As part of that stored procedure you could create multiple sql queries one of which can be an audit trail.   Another way is to present the material to be deleted as a table with a checkbox for each row.  Then have the user select each individual record. Pass the information to a cftag that does the delete. this reduces the opportunity for a user to randomly type anything in and allows you to implement a validation routine.   Another item to explore is to use the https if security is a concern. Can't say I have experience with it but given your description that might be a method to investigate. -----Original Message----- From: Adaryl Wakefield [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 10:54 AM To: [EMAIL PROTECTED] Subject: Re: [KCFusion] security question Oh and just to elemenate confusion Im trying to come up with a SAFE method..not a save method. A. ----- Original Message ----- From: Adaryl Wakefield To: [EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 10:48 AM Subject: Re: [KCFusion] security question Im sorry I was in a hurry and should have explained this better. For the first time I am faced with allowing users to delete info from a database. I am trying to come up with a save method for doing that. In other words I don't want people to just type random numbers in a query string and start erasing stuff. Most of the measures I have come up with so far are easily defeated. I had considered putting the primary key of the tuple to be deleted in a hidden form field but if you can alter the info sent in a post request (and I think I read somewhere that you could) then that measure is kinda lame too. the best I've got so far is that the user can only delete those tuples that are related to their login. A. ----- Original Message ----- From: Bruce Dunwiddie To: [EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 11:33 AM Subject: RE: [KCFusion] security question I don't know of a way to say make IE send different request headers, but if you're trying to test something, wouldn't cfpost work? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Adaryl Wakefield Sent: Monday, August 11, 2003 1:44 PM To: [EMAIL PROTECTED] Subject: [KCFusion] security question Is is possible to alter the information that is sent in the headers of a POST request? A.