I realize that all developers have a role in application security
(cfqueryparam, etc.). So, there definitely are things I have to pay
attention to in building an application.
But for server-level administration and security issues, I would personally
like to stay away as much as I can!
While
I still haven't been able to get the host to resolve this problem, and I've
decided to just abandon MySQL for SQL Server. The database is simple and I
can make the change quickly.
To wrap this up, based on what I've learned and what my web research shows:
. The problem exists only
Sorry if I wasn't clear about something. As you said, Maintain connections
across client requests is the default. It's when you turn it off that the
mySQL problem goes away with some server/driver configurations. If maintain
connections is off, then CF has to recreate the connection for each query
If you have security concerns, there is only one way to figure out if
they are valid. Test the system. With permission, of course.
Dean H. Saxe
d...@fullfrontalnerdity.com
A true conservationist is a person who knows that the world is not
given by his fathers, but borrowed from his
Sorry to ask a dumb question, but how, exactly would you Test the system.
Do you mean use some set of methods to try and break in, or is there some
sort of standard test suite?
Clarke
-Original Message-
From: ad...@acfug.org [mailto:ad...@acfug.org] On Behalf Of Dean H. Saxe
Sent:
There are many suites you can use (Foundstone Enterprise, Nessus,
etc.) and manual methods too. But unless your host agrees to it and
you want to pay for it, you're left with whatever info they can give
you about penetration testing they have had done in the past.
-dhs
--
Dean H. Saxe
S, I'd like to find out how insecure. Can you forward the code?
_
Derrick Peavy
derr...@derrickpeavy.com
404-786-5036
_
On Jul 10, 2009, at 1:43 PM, shawn gorrell wrote:
Clarke,
Welcome to the big leagues. I know that you might want to stay away
Clarke, in addition to the good stuff Shawn shared [and btw, Shawn, I'd
enjoy seeing that code :-)], I'll note that at least as far as the point he
made:
So the hoster is left with a hard choice: disable CFEXECUTE, CFOBJECT,
CreateObject(.NET), CreateObject(COM) and CreateObject(JAVA) or accept