The biggest error that I see that allows for people to view your code on a production
server is people using IIS without upgrading for the latest security patches! You
would be surprised at the number of asp and cf sites you can just waltz through by
doing things like adding a few symbols to the end of the url! If you are trying to
protect anything make sure and take a good look at your server!
Not to sure about lesswhitespace (never used it), but another major disadvantage of
stripwhitespace is the processing time that it adds to the pages. It can be a very
processor intensive tag.
I tend to use the application.cfm tag to do two things ... the security check (make
sure that everything is called through index.cfm) and then setting the <cfsetting
enablecfoutputonly="yes"> directive. Because it is in the application file it's
behavior gets inherited all the way down the app and only outputs whitespace that you
put between cfoutput tags.
then in each dsp_ file I set the directive to no at the top and yes at the bottom
(stops me from encapsulating the entire display block in cfoutput). This (along with
a few other tricks) makes the final pages look like they were coded in strict html
when you view the source code without adding the extra processing of an additional tag.
Goes back to the old addage ... nothing beats proper coding to begin with.
>-----Original Message-----
>From: Bert Dawson [mailto:[EMAIL PROTECTED]]
>Sent: Thursday, December 21, 2000 5:13 AM
>To: Fusebox
>Subject: RE: source code protection....
>
>
>....
> i strip out all excess
>whitespace in .cfm files, using cffile and <cf_lesswhitespace justify=yes>
>I tried using <cf_stripwhitespace, to turn the file into a one liner, but,
>predicatably, it messed up the javascript - it wouldn't be too hard to write
>a tag which left <script> tags alone....
>
>Using confusing variable names would add another level of pain for anyone
>trying to nick your code, but not very maintainable...
>
>
>IMPORTANT NOTICE:
>This e-mail and any attachment to it is intended only to be read or used by
>the named addressee. It is confidential and may contain legally privileged
>information. No confidentiality or privilege is waived or lost by any
>mistaken transmission to you. If you receive this e-mail in error, please
>immediately delete it from your system and notify the sender. You must not
>disclose, copy or use any part of this e-mail if you are not the intended
>recipient. The RTA is not responsible for any unauthorised alterations to
>this e-mail or attachment to it.
>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
