Yeah, I suppose you're right. But they'd have to know the name of the CFC, what functions it contains, and you'd have to have built it in an insecure manner. Well, I suppose they could call it directly and get the cool CFC layout page...but when it comes to shared hosting, most people don't have a choice anyway, so that's the risk you take, I guess. Oh yeah, and if they do manage to guess a CFC name, what are they going to do with it? It's not like they can write cfm files to your directory...but I'd be curious to hear a scenario where someone could hack your site after finding a CFC.
I agree though, keeping the CFCs above web root if possible just seems safer. > -----Original Message----- > From: Russ [mailto:[EMAIL PROTECTED] > Sent: Thursday, June 08, 2006 1:36 PM > > I think that if you don't have mappings in cf admin, it will > have to be > under the web root, which might be a security risk since now > people can call > your cfc's directly from the browser. We keep all our code > above the web > root, the only thing inside the web root is the main.cfm tempate and > application.cfm. > > Russ > > > -----Original Message----- > > From: Munson, Jacob [mailto:[EMAIL PROTECTED] > > Sent: Thursday, June 08, 2006 2:52 PM > > To: CF-Talk > > Subject: RE: About CFC Path > > > > That's the way I do it, yes. I'm not sure if it's required though. > > > > > -----Original Message----- > > > From: Russ [mailto:[EMAIL PROTECTED] > > > Sent: Thursday, June 08, 2006 11:10 AM > > > > > > In this case, wouldn't you need to keep the cfc's under web root? > > > > > > > -----Original Message----- > > > > From: Munson, Jacob [mailto:[EMAIL PROTECTED] > > > > Sent: Thursday, June 08, 2006 11:23 AM > > > > > > > > In my experience, you don't need a mapping that was > created in the > > > > CFAdmin to invoke a CFC. Something that used to > confuse me is that > > > > people use the term mapping liberally, and it doesn't > > > always mean the > > > > thingies in the CFAdmin. Often they are referring to the > > > path that you > > > > use to invoke the CFC, like > > > coldfusion.clients.mycfcs.parseEmail. As > > > > long as you do the 'dotted notation mapping' correctly, a > > > shared hosting > > > > environment should work fine. This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. A1. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:242979 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
