Oi... having an internet connection is a security risk. I locked my keys in the car the other night. I had to make a simple tool and slid it down between the body of the car and the top of the door, to hit the electric lock button. It took less than 30 seconds to steal my own car. But it was locked down, in my driveway... but who cares? It's "out there" and "always at risk."
Have a patio door? It's a security risk. Ever cross the street? That's not safe. Best practices and due dilligence are the only recourse in an unsecure, open world. So, which is more likely? Getting "rooted" or parsing someone else's pages? Or guessing at the DSNs of others? I don't know, I really don't (and I don't really care, either). What I do know is this... Having a CF Server (or Java, ISP, Oracle, Apache. IIS, or anything) and a DB that are on the internet are the basic security risk here, because the real jeopardy only comes when putting a system on the internet... so bickering over details is silly. *MY* ISP puts the passwords in the DSN, by default. So my pages have no access credentials in them. That's fine with me. I hate the extra typing, which is really my big motivation and has nothing to do with security... because on this topic, it's an utterly irrelevant issue. Upshot? Keep servers patched, updated, sandboxed, and so on so that WHEN you're broken into (note: NOT IF, but when) you'll at least be able to prove you maintained it as best as could be and shouldn't be liable for damages or losses... And the only way to create a connect-string-based DSN anymore is to use a JDBC connect string in the CFADMIN. If you google for JDBC and your driver you should be able to find syntax easily. I don't think it can be done from within CF these days, but it certainly can be done from the administrator DSN setup page. However, since you put the hostname/ip, username. password, port... why mess with JDBC connections when you can just use the form? Laterz, J On Sun, 06 Mar 2005 12:56:03 -0500, Claude Schneegans <[EMAIL PROTECTED]> wrote: > >>it is trivial to write a CF template to get the > > >>raw code of everyone else's CF templates to get their usernames and > >>passwords; > > It is at least as trivial (at least in CF 5) to write a CF template to get > the CF administrator password, > so storing the datasource password in it is not safe either. -- Continuum Media Group LLC Burnsville, MN 55337 http://www.web-relevant.com http://cfobjective.neo.servequake.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:197613 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
