as for cfquery...
your cfm page:
<cfquery ...>
SELECT userID, username, password
FROM users
WHERE username = #URL.username#
</cfquery>
my cfm page
<cfstoredproc procedure="authenticate">
<cfprocparam value="username" ...>
<cfprocparam value="password" ...>
<cfprocparam variable="result" ...>
</cfstoredproc>
I read your page and I know what table & columns to try and hijack all your users information from. You read my page and you got no idea where in my db its stored.
-adam
> -----Original Message-----
> From: Kwang Suh [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, March 23, 2004 05:51 PM
> To: 'CF-Talk'
> Subject: Re: Securing CF Apps.
>
> > My issue with <cfquery> is that you are exposing your db design.
> > It's alot harder to hack a db is you dont know the table and
> > column names.
>
> huh?
>
> > As for encrypting the fuseaction, the question is why not?
>
> Because it's useless.
>
> Let's think this through:
>
> I have a fuseaction called "products.list"
>
> It encrypts to "wafiawjfw"
>
> I type in "wafiawjfw" in the url.
>
> It lists the products.
>
> Where's the security?
>
> Users
> > can start throwing errors by trying different fuseaction calls.
> > Which in turn could expose too much info if you dont have a site
> > wide error handler.
>
> Let me get this straight. I should waste time encrypting urls, and yet be stupid enough not to have an error handler.
>
> Let's think this one through:
>
> I type in "wiejfiawefijwf", which doesn't decrypt properly.
>
> The site then throws an error, and since I don't have a site wide error handler, it exposes a whole bunch of information.
>
> Where's the security?
>
> The topic of this thread is securing cf apps.
> > Although it may not be 100% necessary, it sure doesn't hurt.
>
> It doesn't help either.
>
>
>
>
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
