This prevents you from using CFTransactions, since CFTransaction runs based on the credentials stored in the CFAdmin. It doesn't always tell you it's failing though!
Roland -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joseph Flanigan Sent: Sunday, June 12, 2005 4:42 AM To: [email protected] Subject: [CFCDev] Application Data Source Names There is a security problem / use problem with CF's Data Source Name. When a DSN is put into the administrator with account and password, the DSN becomes available to all applications on the server. In a shared hosting environment, DSN are very easy to discover. This means untrusted users can compromise any shared user. The current security strategy is to not use accounts and passwords in the admin but to put in the application with every cfquery. This strategy cases other programming and connection programs. I would like to see another level of DSN support at application scope. Still use the strategy of no accounts and passwords in the administrator at server scope, but put a new DSN that runs at the application scope which has the account and password. Or leave the account and password in the server scope but with a constraint bound to application scope. Joseph ----------------------------------------------------------------------- http://www.switch-box.org/CFSQLTool/Download/ Switch_box MediaFirm, Inc. www.Switch-box.org Loveland, CO USA ---------------------------------------------------------- You are subscribed to cfcdev. To unsubscribe, send an email to [email protected] with the words 'unsubscribe cfcdev' as the subject of the email. CFCDev is run by CFCZone (www.cfczone.org) and supported by CFXHosting (www.cfxhosting.com). CFCDev is supported by New Atlanta, makers of BlueDragon http://www.newatlanta.com/products/bluedragon/index.cfm An archive of the CFCDev list is available at www.mail-archive.com/[email protected] ---------------------------------------------------------- You are subscribed to cfcdev. To unsubscribe, send an email to [email protected] with the words 'unsubscribe cfcdev' as the subject of the email. CFCDev is run by CFCZone (www.cfczone.org) and supported by CFXHosting (www.cfxhosting.com). CFCDev is supported by New Atlanta, makers of BlueDragon http://www.newatlanta.com/products/bluedragon/index.cfm An archive of the CFCDev list is available at www.mail-archive.com/[email protected]
