On Sun, Jun 13, 2010 at 9:00 AM, Skellington <[email protected]> wrote:
> Am I being overly paranoid, is this > variable accessible in some way with Firebug etc? > > I'm assuming you're setting application.settings.db.password, right? Is there a reason you're storing that value in your application scope as opposed to just using the datasource name in your application? That way the db password wouldn't have to be in your code anywhere. I'd have to ponder this a bit but I don't see how there'd be any way to get at that value from the front end unless you're dumping it. You may be aware of this already, but if you set the datasource via the admin console it does get encrypted. Off the top of my head I don't know what the encryption scheme is and how that all works, but would it be possible for you to set datasources via the admin API CFCs instead of modifying the XML file directly? I suppose it might also be possible to encrypt the database password using the same mechanism the engine itself uses to encrypt database passwords and put the encrypted value in the XML, but I don't know if you'd somehow to have tell the engine the value is encrypted. I'd have to dig into that part of the OpenBD codebase to see how that works. Another concern that comes up in this context is access to the XML config file. So it's clear, since the XML file itself is under WEB-INF it isn't web accessible, so any information in the XML file itself can't be browsed. I'll try to dig around and see about the encryption, but I don't see how you'd run into any issues. -- Matthew Woodward [email protected] http://blog.mattwoodward.com identi.ca / Twitter: @mpwoodward Please do not send me proprietary file formats such as Word, PowerPoint, etc. as attachments. http://www.gnu.org/philosophy/no-word-attachments.html -- Open BlueDragon Public Mailing List http://www.openbluedragon.org/ http://twitter.com/OpenBlueDragon online manual: http://www.openbluedragon.org/manual/ mailing list - http://groups.google.com/group/openbd?hl=en
