True, but if they have only gotten access to a login that can only run stored procedures and your stored procedures do the checks you are a little bit better off.
The programmer can't assume that the DBA is doing his job with security and the DBA can't assume that the programmer is doing his job with security. If both do their jobs then security should be pretty strong, if not then at least you (programmer or DBA) have done everything they can to cover your own butt. -----Original Message----- From: Rick Root [mailto:rick.r...@gmail.com] Sent: Thursday, September 23, 2010 10:01 AM To: cf-talk Subject: Re: 3 layers of validation? On Thu, Sep 23, 2010 at 9:48 AM, DURETTE, STEVEN J (ATTASIAIT) <sd1...@att.com> wrote: > > Lastly, NEVER assume that your server application (CF, PHP, ASPX) is the > only thing that will hit your database. Say someone finds your database > and calls a procedure. You would really hate it if they passed in > username = 'dummy';drop usertable;-- and your code didn't account for > it. Suddenly your usertable is gone. Always check in each place. If "someone finds your database" and "executes a stored procedure", you've got *WAY* bigger problems than application coding. Ri ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:337375 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm