> -----Original Message----- > From: Brandon Harper [mailto:[EMAIL PROTECTED]] > Sent: Friday, June 07, 2002 2:38 AM > To: CF-Talk > Subject: RE: Hacking" a shared SQL server > I was just thinking about this issue today myself since I'm currently > working on something that involves the privacy issues of a lot of users. > My initial thought was to do something such as just using Encrypt() and > Decrypt() to put all variables encoded into one long form/url string. > Though on a page with a lot of links, that would be way too CPU > intensive, and its just a hack job around a good security plan (though I > can see its usefulness as just one small part of a plan-- I tend to > encrypt any somewhat sensitive or easily altered data in > Client/Cookie/Session scopes for instance).
I would concur with the idea of encrypting cookies if they contain sensitive data, however I'd think twice of storing ANY sensitive data in cookies, but rather store a username or email address and then make the user log in to get at that sensitive data. > > Also if > > you're the type of person that likes to use integers for primary keys > > instead of unique identifiers, then I can see you getting at > > anything in the > > database from a stored procedure. I don't really agree with this since my contention is that if you secure your application it won't matter if someone is passing bogus data to it. I will admit that using GUIDs adds another layer of security, however minor it might be, but I think the added hassle created by it (at least the way I go about programming my apps) is not worth it. Like I said in another response to this topic, if you have certain business rules that require something more complex such as a GUID or hash, then by all means use them, but use them where they are appropriate. --Andy ______________________________________________________________________ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
