How about storing some of the information using a one way hash (ie MD5)?
This can't be unencoded (or at least, it's pointless to try). This encrypts
a string the same way each time, so if you have a password, you can put the
same one in, and you always get the same result.
The problem is that you need to get the information from somewhere, so it
has to be stored somewhere secure. This has to be protected in some way,
and either PGP encryption or one way hashing are the most effective ways of
doing this.
Having a SPARC (ie UNIX) is very useful because you can create a file with
permissions for a certain user and group. Maybe you could hold all of the
information (encrypted) in there. This can sit behind the webroot and
therefore isn't accessible except via the file system. Maybe you could use
a berkeley database to hold the information (access via Perl or something)?
Permissions are definitely the way to go on this one. Make the file and
directory it is in readable only by one user, and maybe use CFX_TCPClient to
ssh into machine and read the file only it can read.
The problem you have is that you cannot access the database except with the
username and password. Maybe you could set up a system of temporary
usernames and passwords in the database that only have extremely limited
access to the database. These could then be used on a rolling basis (the
user would never see them).
IMPORTANT BIT
-------------
At some point you HAVE to pass in a username and password to CF otherwise
database access is impossible. The issue IS NOT "how do I do this without
storing them", but "how do I store the information without anyone else
getting access?". Two ways of doing this. Store it encrypted in an
uncommon encryption format (or use PGP or something) or store it in format
that can only be accessed using a specific type of access (ie database, ssh,
etc) or both of course.
If someone is that desparate to hack into the database, it is unlikely that
they will get the usernames and passwords from trawling around the site and
finding a file that they reside in (make sure you don't name the file
"thepasswords.encrypted" or something silly). The most likely form of
hacking is through code exploits, so as long as you are careful in your
coding, you won't have a problem.
Enjoy!
Paul
> -----Original Message-----
> From: Larry W. Virden [mailto:[EMAIL PROTECTED]]
> Sent: 02 November 2000 09:41
> To: CF-Talk
> Subject: Paranoid programming...
>
>
> Okay - bear with me here folk!
>
> Imagine one has a database (for example Oracle) which requires a user id
> and password to access. Now, imagine writing an application to let joe
> user to look up and insert info into this table. HOWEVER, we do not
> want to generally publish the user id and password; we want the coldfusion
> app as the 'gateway' into the table.
>
> So far, so good.
>
> However, because of the gateway issue, hard coding the userid and password
> into the cfm files is out - the cfm files are in general accessible by
> someone browsing the directories.
>
> The database itself is sensitive enough that the owner does not want the
> userid and password put into the ColdFusion admin area either...
>
> If you had to write an app where the database userid and password:
> could not be hard coded,
> could not be put into the admin area,
> could not be entered via prompting
> what approach would you use? Putting it into a file - encrypted or not -
> doesn't work; the files are readable and so someone could just copy them
> and build their own 'pseudo' app that accesses the data, right?
>
> Looking for 'outside the box' possible solutions.
>
> If it helps, the platform for the server is SPARC Solaris.
> --
> Never apply a Star Trek solution to a Babylon 5 problem.
> Larry W. Virden <mailto:[EMAIL PROTECTED]> <URL:
http://www.purl.org/NET/lvirden/>
Even if explicitly stated to the contrary, nothing in this posting should
be construed as representing my employer's opinions.
-><-
----------------------------------------------------------------------------
--------------------
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists or send a
message with 'unsubscribe' in the body to [EMAIL PROTECTED]
------------------------------------------------------------------------------------------------
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists or send a message
with 'unsubscribe' in the body to [EMAIL PROTECTED]
