> On a SQL database cant you specify that the user connected to
> the database cannot use the DROP command? Wouldn't this be the
> first line of defense?
Yes. You can specify in the datasource settings, in CF Administrator, that
only SQL-DML commands (SELECT, INSERT, UPDATE, DELETE) and/or stored
procedure calls are allowed. By itself, this isn't really enough, since you
can specify raw connect strings in CF 5, among other reasons.
In addition, when configuring your database, you can use rights within the
database. You can create a user with only the necessary rights to modify
data as desired, and use that username and password in your ODBC DSN.
Finally, you can use stored procedures and bind parameters to limit what
gets sent to the database.
You should be doing all of these things to secure database access whenever
possible. This is independent of input filtering. Unfortunately, these
things often get neglected.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
voice: (202) 797-5496
fax: (202) 797-5444
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
