remembers about cfqueryparam. Otherwise it is like barricading the window
and leaving the barn door open :)
TK
-----Original Message-----
From: Ian Vaughan [mailto:[EMAIL PROTECTED]
Sent: Tuesday, March 23, 2004 10:54 AM
To: CF-Talk
Subject: RE: Securing CF Apps.
Does anybody use the CFQUERYPARAM tag for securing sql which is
highlighted at
Securing Database Access Using the cfqueryparam Tag
http://www.macromedia.com/devnet/mx/coldfusion/articles/cfqueryparam.htm
l
-----Original Message-----
From: Tangorre, Michael [mailto:[EMAIL PROTECTED]
Sent: 23 March 2004 15:27
To: CF-Talk
Subject: RE: Securing CF Apps.
I do not encrypt all values in my forms (I do for URLs though).
The reason I
encrypt some form field values and not others is that they are
not all
important if altered by a malicious user...
For instance. If I have a text box, I do not need to encrypt a
date... My
checks to ensure that the text supplied in that field is a date
will take
care of that. I encrypt important values that are used within
queries:
SELECT *
FROM table
WHERE someId = Decrypt(form.idfield,"key")
This hides the type of values I am using to build the query with
and it also
limits the data that is exposed to the end user.
Mike
> > Yes. All URL and FORM variables should be encypted.
> Especially if you
> > are using a fusebox methodology.
>
> I've tried this, but my users were really upset with prompts
> such as this:
>
> "Please Enter the Hash value of the date you would like"
________________________________
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
