RE: Compromising Security

Raymond B. Tue, 22 May 2001 18:58:19 -0700
Code smart.


Don't allow input from a form field to ever go directly into a query: Treat
all data recieved from a user as tainted.

Don't rely on JS or HTML, there's nothing to stop someone doing a direct
post to your script.

Get rid of detailed error messages, use error templates and try/catch to
make them "user friendly" (and disable in admin).

Give CF only the permissions it needs, don't run as a dbms su when
select/insert/update permissions are all that's needed for the main site.

Use stored procedures, not only do you get the benifit of added speed and
lower connection overhead (though portability can be effected) you can more
readily control exactly what is being accessed.


There are tons of other suggestion, such as always staying on top of
security updates (unlike 60%+ of sysadmins out there who don't patch known
issues even years after they've been dicovered and documented). It doesn't
take much extra coding, and it quickly becomes second nature. Your
applications will be more stable, secure, and happier for it.

-----Original Message-----
From: Peter Tilbrook [mailto:[EMAIL PROTECTED]]
Sent: May 22, 2001 18:57
To: CF-Talk
Subject: RE: Compromising Security


The first thing you should do is store your databases in a folder that is
not accessible from the Internet (out of your web root). For example:

Your websites could be in c:\inetpub\wwwroot\mywebsite\

But you should store the databases somewhere else, eg:

c:\datasources\

Secure this directory and update CF Administrator to look here for
datasources instead. Don't think your databases have to be physically within
your web site for CF to access them.

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Pooh Bear
Sent: Wednesday, 23 May, 2001 2:28 AM
To: CF-Talk
Subject: Compromising Security


hey, I was wondering what are the least amount of information someone needs
to compromise my database or code?  I am.....err..."hacking?" my
site/database through the URL.  So far, I've got 2 tablenames, the
datasource, and some field names.  I dont want to have to do a lot of coding
to prevent this from being seen by someone else, but i will if have to, but
first i want to know if anyone could do anything with this much information.
  Thanx! :)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at 
http://www.fusionauthority.com/bkinfo.cfm

Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Compromising Security

Reply via email to
