> hey guys, i just thought about this, and it's making me > feel uneasy about using shared SQL server.
You should feel that way about using a "shared" anything. I agree 100% with Matt on this. Hey, wait, what's that two-headed goat doing here? > ok, i did a test hack on a live server. You'll want to be careful about doing that; one man's test is another man's harmful intrusion. > As you know in SQL Enterprise, you're able to see the > database names of other people sharing the SQL server. > and by looking at the names you can probably guess what > they named their DSN. I got lucky, and nabbed one. I > pulled out the table names from sysobjects. Then pulled > out the field names from a "very desirable" table using > columnlist, then was able to pull out data! I was appalled! > Because my DSNs are named after my site and anyone could > have just done with I've done, but with a different intent. Well, those issues can be partially addressed by using some of the security features in your database server. Individual user accounts should be created for individual CF applications, at least, and those users should be limited in what they're allowed to touch. Tony Petruzzi just listed the basic steps for this in SQL Server, so I won't bother pursuing it further. Of course, if the usernames and passwords for each SQL user are stored on the application server, that too will have to be secured appropriately, to keep legitimate users from being able to access the ones of other legitimate users. That can be very difficult in practice, to the point of being nearly impossible. Good luck with that, though. Again, at this point, refer to Matt's response. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ______________________________________________________________________ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
