> (key)
> every request.��That way it is different every time
>
That is a good way to disclose your encryption algorithm, so this
practices provides no security.
> 2. By using plain text variable names your going to give the potential
> intruder a decent insight into your application design, and this will
> give
> them the ability to make educated guesses as to your other circuit
> names.
>
The old security through obscurity argument, which has been shown time
and time again to provide no real protection.
> 3. The objection to using cfquery is multifaceted.��There is the risk
> of SQL
> injection if your not doing the correct validation.��If your errors
> are not
> being handled correctly you can give away table and column names in
> the
> error message.��Also should someone gain access to your file system
> they can
> build a pretty complete picture of your database from the
> queries.��You
> can't do this when all you are using is Stored Procedures, especially
> if
> your variable names don't match your column names.��Throw in views
> and you
> can obscure it even more.
>
I am still waiting for the object to using cfquery. All of the issues
you mentioned only apply to certain uses of cfquery, which is quite a
bit different than all uses.
-Matt
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
