Kattare Internet Services Homepage Kattare Internet Services
Members & Developers Forums
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Using datasources securely

 
Post new topic   Reply to topic    Kattare Internet Services Forum Index -> ColdFusion
View previous topic :: View next topic  
Author Message
neurozen
Guest
PostPosted: Tue Dec 10, 2002 7:52 am    Post subject: Using datasources securely Reply with quote
After a few iterations and some help from Kattare Support staff, we've finally figured out the best way to use datasources in Cold Fusion in a secure manner.


  1. First, have the Cold Fusion administrator here create a datasource for you in Cold Fusion that points to your database. They can test the validity of the datasource's connection to your database (as they should) by including your username and password in the datasource specification.
  2. Once the datasource's connectivity has been verified, ask them to remove the username and password from the datasource specification in the Cold Fusion administrator. This will mean that any use of the datasource will require that the <CFQUERY> tag include the USERNAME and PASSWORD parameters.
  3. Now you have created the situation where other users on the system cannot access your database simply by having a CFM file containing <CFQUERY DATASOURCE="yourdatasource">. They must include your username and password. However, if someone can read your own CFM module files, they could see the USERNAME and PASSWORD parameters that you use in CFQUERY> tags. To fully secure the datasource, though, you should use variables that are defined externally (e.g., in an Application.cfm file). This is also a good idea because it is smarter to define the username and password in one place rather than have it all over the place, requiring mass updates to multiple files when these parameters change. An example would look something like this:
    Code:
    Application.cfm
    ===========================
    <CFSET mydbusername = "xxxxxxxx">
    <CFSET mydbpassword = "yyyyyyyy">

    mymodule.cfm
    ===========================
    <CFQUERY DATASOURCE="mydatasource"
        USERNAME="#mydbusername#" PASSWORD="mydbpassword" ...>

  4. This puts the sensitive database credentials in a separate place, but currently that place is no more protected than the other CFM file. You can secure the sensitive information in the Application.cfm file by encrypting it, using the cfencode utility provided with Cold Fusion.
    Code:
    $ /opt/coldfusion/bin/cfencode Application.cfm

    Remember though that this utility essentially destroys the original file, replacing it with its encrypted version. This means you no longer have a copy of the original text contained in your Application.cfm file. It might be useful to copy the original file manually to a backup (protecting the backup by making it mode 600) and then run cfencode.

This method ensures that your database credentials are stored in one secure place, and that those credentials can be used in multiple Cold Fusion modules by referencing them by their variable name so as not to compromise security. While this is not 100% uncrackable, it is probably the most bang for your buck with respect to database security with Cold Fusion.

Rich Rosen
Back to top
Display posts from previous:   
Post new topic   Reply to topic    Kattare Internet Services Forum Index -> ColdFusion All times are GMT - 8 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2002 phpBB Group