Morning Dave, Thanks for that mate, I know there are bigger security fish to fry when working on the same box but unfortunately this setup works better for my budget at the moment, give it 6 months and I'll have grown out of it.
I've just created a user in the database with reader/writer permissions and the datasource seems to test fine in the admin panel, however, It doesn't seem to work with my stored procs, I get a permissions error thrown by cf when running my code, are there any additional rights I need to grant that user? Thanks, Rob -----Original Message----- From: Dave Watts [mailto:[EMAIL PROTECTED] Sent: 14 June 2007 12:15 To: CF-Talk Subject: RE: Securing Datasources > I'm looking to get some advice on securing my datasource as > much as possible. > > I'm looking for some advice on the data source, I'm changing > the allowed functions of the datasource to SELECT, UPDATE and > INSERT only to stop things being dropped, however, how do I > have it so the username and password must be supplied in my > cfquery or stored proc tags? I can't see a checkbox anywhere > do I simply leave the username and password fields blank in > my administrator panel? Instead of changing the allowed functions of the datasource, create database logins with the appropriate rights and use those from within your application. In SQL Server, for example, you would assign the db_datareader and db_datawriter roles to the login that can change data, and just db_datareader to the login that can only view data. You can just omit the username and password from the CF Administrator, and supply those values with your CFQUERY tags, but I don't think that makes things any more secure. The CF Administrator does encrypt the password, at least. > I'm not sure if this makes any difference, but the SQL Server > and the CF are running on the same box and its SQL Server > 2005 Standard and ColdFusion MX7 Standard. Then you have more pressing security concerns; if the database server is on the same machine as the application server, it can't be effectively protected. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! This email has been processed by SmoothZap - www.smoothwall.net ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Upgrade to Adobe ColdFusion MX7 The most significant release in over 10 years. Upgrade & see new features. http://www.adobe.com/products/coldfusion?sdid=RVJR Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:281113 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
