If on a shared server, and the server is not set up to use sandboxes to keep
different users from using each other's datasources, then putting the
userid/pwd in your .cfm files will better protect you from other users of
the server (assuming CFFILE is turned off). If sandboxes are in place, I
think CF Admin would be safer.
To protect yourself from general outsiders I think CF Admin is better; there
are more bugs that reveal .cfm soruce code than bugs that allow outsiders to
put files on the server.
Unsafe inputs (a user appending a malicious query to a URL) will work (or
not work) irrespective of where the userid/password is kept.
If you do choose to put the userids/passwords in your templates, you might
consider moving all CFQUERYs into include files and storing the include
files somewhere that's not web-accessible to reduce the outsider risk.
Assuming the server admin can give you such a place.
Spoken as someone who has never used a shared server and therefore probably
isn't qualified...
----Original Message-----
From: Bud [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, June 06, 2001 9:27 AM
To: CF-Talk
Subject: Which SQL ODBC Login method?
Hi all. What do you all recommend?
1. Adding the SQL Login to the CF Administrator ODBC Setup?
or
2. Leaving it blank and hard coding it into cfquery?
Seems as though hard coding it would be safer since no one else on
the server would be able to query it without the username and
password. Of course then if someone hacks into your ftp directory
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
