I never assume otherwise, and I site I have worked on a few years ago has a
memebers section. I was able to say who this user was, where he visited,
what he did within the site and howlong he was there for and not once was
anything passed via the url or as a hidden variable. The site was totally
secured, you couldn't even access a page of the site without going through
the homepage:-)
regards
Andrew Scott
Senior Cold Fusion Application Developer
-----Original Message-----
From: Kevin Miller [mailto:[EMAIL PROTECTED]]
Sent: 17 October 2000 11:12
To: CF-Talk
Subject: RE: SQL Server -> MS Access "Autonumber"?
This issue needs to be resolved using application security. You should
never assume that a request is authorized just because it is requested,
and always do a security check to validate each and every request
against a set of credentials (username/password, etc, etc).
Kevin
>>> [EMAIL PROTECTED] 10/16/00 04:06PM >>>
Look I am not sure what method of programming you use, there are ways
to get
the information of a user without passing anything via the url. Hidden
fields are ok, but still leave the ability for someone to try sending
that
through the url rather than a form and some bad coders would have this
as a
security risk.
The best method is show nothing critical to the user in any form, I
never
pass too much on the url, I never pass anything like this through forms
that
is hidden and yet I am able to know as much about the user that is
there.
regards
Andrew Scott
Senior Cold Fusion Application Developer
-----Original Message-----
From: tom muck [mailto:[EMAIL PROTECTED]]
Sent: 17 October 2000 01:56
To: CF-Talk
Subject: Re: SQL Server -> MS Access "Autonumber"?
That's all I was saying. . .they have their uses, but don't use them
where
the
data could be at risk. For instance as a hidden form field with an
OrderID
for
a shopping cart. Any time there is sensitive data accessible to the
user
via
URL, cookie, view source, etc -- autonumbers shouldn't be used. As far
as
things like lists of products, suppliers, states, names, whatever --
it's a
great method for creating a primary key.
tom
----- Original Message -----
From: "Andy Ewings" <[EMAIL PROTECTED]>
To: "CF-Talk" <[EMAIL PROTECTED]>
Sent: Monday, October 16, 2000 10:33 AM
Subject: RE: SQL Server -> MS Access "Autonumber"?
> OK, but I'm not suggesting for one minute you pass the ID across in
the
> URL....I tend to store it as a Client variable in a DB. All I need
to
pass
> in the URL to maintain state is the CFID and CFTOKEN and only if the
user
> has session level cookies turned off
>
> ------------------------------------------------------------------
> Andrew Ewings
> Project Manager
> Thoughtbubble Ltd
> http://www.thoughtbubble.net
> ------------------------------------------------------------------
> United Kingdom
> http://www.thoughtbubble.co.uk/
> Tel: +44 (0) 20 7387 8890
> ------------------------------------------------------------------
> New Zealand
> http://www.thoughtbubble.co.nz/
> Tel: +64 (0) 9 419 4235
> ------------------------------------------------------------------
> The information in this email and in any attachments is confidential
and
> intended solely for the attention and use of the named addressee(s).
Any
> views or opinions presented are solely those of the author and do
not
> necessarily represent those of Thoughtbubble. This information may
be
> subject to legal, professional or other privilege and further
distribution
> of it is strictly prohibited without our authority. If you are not
the
> intended recipient, you are not authorised to disclose, copy,
distribute,
or
> retain this message. Please notify us on +44 (0)207 387 8890.
>
>
>
> -----Original Message-----
> From: tom muck [mailto:[EMAIL PROTECTED]]
> Sent: 16 October 2000 15:20
> To: CF-Talk
> Subject: Re: SQL Server -> MS Access "Autonumber"?
>
>
>
>
>
> > I second that. Mike - I'd be very interested in hearing your
reasons as
> to
> > why you think it is bad practice to use Autonumbers. Have you had
some
> bad
> > experiences with them?
> >
> > ------------------------------------------------------------------
> > Andrew Ewings
>
>
> It depends where you use them. A customer could, for instance, look
at a
> URL
> and see CustomerID=459 and then change this to bring up someone
elses
> account. .
> .Or go into a cookie and change a number, or a hidden form field. If
you
> use a
> GUID or some sort of algorithm to create a unique ID you're much
safer. I
> use
> Identity columns all the time, but only with non-critical data.
>
> tom
>
>
----------------------------------------------------------------------------
> --
> Archives: http://www.mail-archive.com/[email protected]/
> To Unsubscribe visit
>
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk
or
> send a message to [EMAIL PROTECTED] with
'unsubscribe' in
> the body.
>
----------------------------------------------------------------------------
--
> Archives: http://www.mail-archive.com/[email protected]/
> To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk
or
send
a message to [EMAIL PROTECTED] with 'unsubscribe' in
the
body.
----------------------------------------------------------------------------
--
Archives: http://www.mail-archive.com/[email protected]/
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk
or
send a message to [EMAIL PROTECTED] with 'unsubscribe'
in
the body.
----------------------------------------------------------------------------
--
Archives: http://www.mail-archive.com/[email protected]/
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk
or send a message to [EMAIL PROTECTED] with
'unsubscribe' in the body.
----------------------------------------------------------------------------
--
Archives: http://www.mail-archive.com/[email protected]/
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.
------------------------------------------------------------------------------
Archives: http://www.mail-archive.com/[email protected]/
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
