> seed (key)
> every request. That way it is different every time
What possible value does this bring?
>
> 2. By using plain text variable names your going to give the potential
> intruder a decent insight into your application design, and this
> will give
> them the ability to make educated guesses as to your other circuit
> names.
So?
> 3. The objection to using cfquery is multifaceted. There is the
> risk of SQL
> injection if your not doing the correct validation. If your
> errors are not
> being handled correctly you can give away table and column names
> in the
> error message.
So don't you think it's more important to handle errors properly than say "don't ever use <cfquery>"?
Also should someone gain access to your file
> system they can
> build a pretty complete picture of your database from the queries.
> You
> can't do this when all you are using is Stored Procedures,
> especially if
> your variable names don't match your column names. Throw in views
> and you
> can obscure it even more.
You've got bigger problems should someone gain access to your file system.
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
