You may already have covered this, but to avoid people sending bad SQL (like
a drop table statement) to your db, make sure that all numeric fields being
passed to the database are surrounded by the Val function:
Don't do:
SELECT * FROM MyTable WHERE MyId = #form.MyId#
Do:
SELECT * FROM MyTable WHERE MyId = #Val(form.MyId)#
Bob
-----Original Message-----
From: Robert Everland [mailto:[EMAIL PROTECTED]]
Sent: April 9, 2001 4:14 PM
To: CF-Talk
Subject: Little OT: Security on NT, IIS, and CF
Ok we are about to go live here soon and am looking at Security to
really lock down the servers. Now I know people can append things to the url
I check for that, or add things to a form, I check for that also. Only thing
I need to know is if there is still a security lax with MDAC where someone
could send a query to a url and drop a table. Can that still be done? I am
slowly going through Microsoft's checklist for everything. Is there an
allair err Macromedia checklist? Also anyone have any recomendations for a
security scanner so I can double check everything after I am done.
Robert Everland III
Web Developer
Dixon Ticonderoga
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
