Jamie, The underlying issue with most security recommendations is that of stopping an external, unauthorised user (read 'hacker') gain unrestricted access to your server.
At that point, they'll be able to browse your file system, check you dsn, access your databases etc. So, in the example you cite, the 'hacker' is attempting to do one of two things (typically): i) Get a record inserted into your database that bypasses the normal checks and balances (like a 'confirmed' order); or ii) Cause a buffer overflow (by passing through very large form values) that allows them to then execute the code of their choice. This may be to perform and return a 'select * from orders' say, to find out who bought what on your site. There are a whole variety of other security protocols that you should put in place - to protect yourself, your company and your customers - and I'd recommend reading an introduction to computer security to provide a general overview of security attacks, like eavesdropping, replay attacks, unauthorised access, tampering, denial of service etc etc. This will help you to understand why you need to do the things that security articles recommend. I hope that helps Steve ----------------------------------- Steve Baty - senior analyst p: 612 8596 4030 m: 0417 061 292 f: 612 8596 4001 e: steve @redsquare.com -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jamie Lawrence Jenner Sent: Wednesday, 21 April 2004 10:47 PM To: CFAussie Mailing List Subject: [cfaussie] website security hello, I have been pondering over this for a while, adn i cant seem to find any answers to my questions. Website security. I see written everywhere, do this to increase security, do that to increase security, but what i want to know is what a hacker can do to a website. Like how can they retrieve dsn info, or access your db, or download your cfcs, so i can be aware of exactly what they an do. I cannot find anything detailing exactly what you are to prevent happening. do you follow? for example, a form which sends mail. For security: The recieving template would check that the refferer was your form on your site and that the vars it can accept are form.field and form.field2 etc. to prevent: This is to prevent somebody using the template from a remote computer/site Like info which is stored in a db, is it really safe? i know there are security things to put in place but what do they prevent, Hope i make sense. from a confused ajmie! --- You are currently subscribed to cfaussie as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] MXDU2004 + Macromedia DevCon AsiaPac + Sydney, Australia http://www.mxdu.com/ + 24-25 February, 2004 --- You are currently subscribed to cfaussie as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] MXDU2004 + Macromedia DevCon AsiaPac + Sydney, Australia http://www.mxdu.com/ + 24-25 February, 2004
