If your client variables are being stored on the database, then there is no way someone could modify the value, unless they had access to your database server (in which case you have bigger problems). The only interaction the user would have in this case are the CFID and CFTOKEN cookie or URL parameters, which simply act as a mapping for CF to know which client/session vars to use for their requests.
-Justin Scott ----- Original Message ----- From: "Ben Schwemlein" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Sunday, March 09, 2003 11:44 PM Subject: Hacking Client Variables? > Can anyone suggest a way to hack a query that has �WHERE userid = > �#CLIENT.userid#�� in CF 5 and/or MX? Another developer has an application > that has sensitive customer information that is encrypted at the database > level, but not at the ColdFusion level. I think this is not secure, but I > want some evidence before I make an objection. > Any suggestions would help. > > Our client variables are contained in the Database, and the client IDs are > sequential. If there is some way to externally hack and set the client > variable, then a Hacker could get all customer info. > > Thanks, > > Ben > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
