true.... the username/password data does need to sit somewhere. Although
with this method below you could store the data in a file that you are
SURE is secured.
This is an interesting dilemma. I'm curious to know if you'll find the
solution you want. I've had the similar issues of how to store keys to
encrypted data? If you store it in Cf then if someone gets in throw
some hole in your web server where they could simply read the code, then
they can get your key and decrypt whatever they need to decrypt. My
solution ended up being a combination, the key was both in the code AND
in the database. that way you have to break into both servers to access
the full key. Not a perfect solution, but better than if it was only in
one place.
How about something like that?
Steve
"Larry W. Virden" wrote:
>
> From: Steve Nelson <[EMAIL PROTECTED]>
>
> How about store the username/password in a variable that is
> obtained
> from some other place? so instead of doing this:
>
> <cfquery username="blah" password="blah">
>
> <cfquery username="#somevariable#" password="#somevariable#">
>
> You would need to pull that variable from somewhere, maybe
> from another
> database, maybe from a file, that would be up to you. But
> this would
> keep the username/password out of your direct code and out of
> the ODBC
> driver.
>
> Is that a step in the right direction?
>
> Unfortunately, someone reading the coldfusion source could then
> go to the file and read it - or write their own coldfusion page
> to read the file.
>
> Frankly, I don't even know how one could do this truly securely
> OUTSIDE of ColdFusion let alone inside ColdFusion...
>
> Something like use of ACLs to block the access to the web pages
> to everyone except nobody (and root or whatever login id the
> backups and restores look like) might be the best shot at locking
> things down. It's just a real pain to deal with file by file
> ACLs...
>
> --
> Larry W. Virden <URL: mailto:[EMAIL PROTECTED]>
> <URL: http://www.purl.org/net/lvirden/>
> Even if explicitly stated to the contrary, nothing in this
> posting
> should be construed as representing my employer's opinions.
>
>
>------------------------------------------------------------------------------------------------
> Archives: http://www.mail-archive.com/[email protected]/
> Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists or send a message
>with 'unsubscribe' in the body to [EMAIL PROTECTED]
--
Steve Nelson
http://www.SecretAgents.com
Tools for Fusebox Developers
------------------------------------------------------------------------------------------------
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists or send a message
with 'unsubscribe' in the body to [EMAIL PROTECTED]
