I guess issue was - to protect data from modification by unauthorized
person. If you don't care about this - you shouldn't care about stolen
username/password at all.
Username/password in cfm can give you access to stored procedure but not to
tables. Stored procedure itself can have rights to access to tables through
sql requests and views. It is common way to restrict user access to
particular data in your application. Also you hide name of tables and fields
from user. This means - even if your site will be broken, hacker has very
small amount of information for analysis.
If you want to hide username/password - hardcode them in custom tag and
call this tag with parameter like string "SELECT * FROM MyTable" but as you
see, the problem with names of objects remain. Also if you will use some
type of coding in SQL like "WHERE id=#MyVar#" where MyVar came from url
string or from form, your data can be modified. This was also explained in
some security bulletin on Allaire.
Regards
> err... does this really address the issue?
> Are you saying I can reference a stored procedure in a secure (SQL
Server)
> database without a valid username and password to log into the database?
>
>
> Gena wrote:
>
> > From: "Jeffry Houser" <[EMAIL PROTECTED]>
> > > With all this talk of the '+.htr' bug...
> > >
> > > What are alternatives to hard-coding in the username and password
in a
> > > query?
> >
> > Use stored procedures. It is 99% guarantee safe of your data.
> >
> > Regards
> >
> >
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
