Hi everyone, I'm started to get worried about security whilst developing some test apps. I'm using a combination of MX7 (mainly form work and queries), AjaxCFC (standard XMLHttpRequest calls to CFCs) and JS to do quite a bit of DOM manipulation in the callback Ajax function. Basically, I'm using the CFWDDX tag (with the "cfml2js" parameter) which takes a CF query and dynamically creates a JS WddxRecordSet object which also contains an array containing the data from the query. In this case, this is achieved via the WDDX JS library. AjaxCFC is also using the same WDDX technique.
By using the WDDX technique, the resulting JS RecordSet objects lend-up being visible in the user's browser. Therefore, all the data from the queries can be openly seen in the "view source". I can't use an obfuscator because the JS WddxRecordSet is created dynamically by both CFWDDX and AjaxCFC. It's a bit 'nasty' for user's / hackers to start unravelling your database work by studying the JS WddxRecordSet code across a number of different Ajax apps and / or invite folks to try all sort of hacking techniques, etc..etc.. But what to do? The answer seems to be move more of the work to server-side and avoid / reduce Ajax - after all, one of Ajax's central theme is the XMLHttpRequest object and well, that's Javascript. Maybe I could move the cfwddx tag into a CFC which is invoked via an AjaxCFC call ? (Although I don't know if that would help much - at the end day, you can go to the browser's cache and get what you want). Is the answer (perhaps, controversially) just avoid Ajax altogether and stick to good old page-to-page, step-by-step navigation in a web-app (standard shopping-cart style apps)? Anyone else out there with any thoughts / ideas or have started looking at techniques to make things 'harder' ? Cheers, Andy Madrid, Spain p.s. Apologies - I've also posted this in the Ajax forum but it doesn't look too active. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Upgrade to Adobe ColdFusion MX7 Experience Flex 2 & MX7 integration & create powerful cross-platform RIAs http:http://ad.doubleclick.net/clk;56760587;14748456;a?http://www.adobe.com/products/coldfusion/flex2/?sdid=LVNU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:269590 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
