This issue needs to be resolved using application security. You should
never assume that a request is authorized just because it is requested,
and always do a security check to validate each and every request
against a set of credentials (username/password, etc, etc).
Kevin
>>> [EMAIL PROTECTED] 10/16/00 04:06PM >>>
Look I am not sure what method of programming you use, there are ways
to get
the information of a user without passing anything via the url. Hidden
fields are ok, but still leave the ability for someone to try sending
that
through the url rather than a form and some bad coders would have this
as a
security risk.
The best method is show nothing critical to the user in any form, I
never
pass too much on the url, I never pass anything like this through forms
that
is hidden and yet I am able to know as much about the user that is
there.
regards
Andrew Scott
Senior Cold Fusion Application Developer
-----Original Message-----
From: tom muck [mailto:[EMAIL PROTECTED]]
Sent: 17 October 2000 01:56
To: CF-Talk
Subject: Re: SQL Server -> MS Access "Autonumber"?
That's all I was saying. . .they have their uses, but don't use them
where
the
data could be at risk. For instance as a hidden form field with an
OrderID
for
a shopping cart. Any time there is sensitive data accessible to the
user
via
URL, cookie, view source, etc -- autonumbers shouldn't be used. As far
as
things like lists of products, suppliers, states, names, whatever --
it's a
great method for creating a primary key.
tom
----- Original Message -----
From: "Andy Ewings" <[EMAIL PROTECTED]>
To: "CF-Talk" <[EMAIL PROTECTED]>
Sent: Monday, October 16, 2000 10:33 AM
Subject: RE: SQL Server -> MS Access "Autonumber"?
> OK, but I'm not suggesting for one minute you pass the ID across in
the
> URL....I tend to store it as a Client variable in a DB. All I need
to
pass
> in the URL to maintain state is the CFID and CFTOKEN and only if the
user
> has session level cookies turned off
>
> ------------------------------------------------------------------
> Andrew Ewings
> Project Manager
> Thoughtbubble Ltd
> http://www.thoughtbubble.net
> ------------------------------------------------------------------
> United Kingdom
> http://www.thoughtbubble.co.uk/
> Tel: +44 (0) 20 7387 8890
> ------------------------------------------------------------------
> New Zealand
> http://www.thoughtbubble.co.nz/
> Tel: +64 (0) 9 419 4235
> ------------------------------------------------------------------
> The information in this email and in any attachments is confidential
and
> intended solely for the attention and use of the named addressee(s).
Any
> views or opinions presented are solely those of the author and do
not
> necessarily represent those of Thoughtbubble. This information may
be
> subject to legal, professional or other privilege and further
distribution
> of it is strictly prohibited without our authority. If you are not
the
> intended recipient, you are not authorised to disclose, copy,
distribute,
or
> retain this message. Please notify us on +44 (0)207 387 8890.
>
>
>
> -----Original Message-----
> From: tom muck [mailto:[EMAIL PROTECTED]]
> Sent: 16 October 2000 15:20
> To: CF-Talk
> Subject: Re: SQL Server -> MS Access "Autonumber"?
>
>
>
>
>
> > I second that. Mike - I'd be very interested in hearing your
reasons as
> to
> > why you think it is bad practice to use Autonumbers. Have you had
some
> bad
> > experiences with them?
> >
> > ------------------------------------------------------------------
> > Andrew Ewings
>
>
> It depends where you use them. A customer could, for instance, look
at a
> URL
> and see CustomerID=459 and then change this to bring up someone
elses
> account. .
> .Or go into a cookie and change a number, or a hidden form field. If
you
> use a
> GUID or some sort of algorithm to create a unique ID you're much
safer. I
> use
> Identity columns all the time, but only with non-critical data.
>
> tom
>
>
----------------------------------------------------------------------------
> --
> Archives: http://www.mail-archive.com/[email protected]/
> To Unsubscribe visit
>
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk
or
> send a message to [EMAIL PROTECTED] with
'unsubscribe' in
> the body.
>
----------------------------------------------------------------------------
--
> Archives: http://www.mail-archive.com/[email protected]/
> To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk
or
send
a message to [EMAIL PROTECTED] with 'unsubscribe' in
the
body.
----------------------------------------------------------------------------
--
Archives: http://www.mail-archive.com/[email protected]/
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk
or
send a message to [EMAIL PROTECTED] with 'unsubscribe'
in
the body.
------------------------------------------------------------------------------
Archives: http://www.mail-archive.com/[email protected]/
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk
or send a message to [EMAIL PROTECTED] with
'unsubscribe' in the body.
------------------------------------------------------------------------------
Archives: http://www.mail-archive.com/[email protected]/
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
