DB Security

Discussion in 'Programming' started by cfnut, Jul 18, 2008.

0
  1. #1
    While developing my website I notice that sometimes when there is an error in my database the error page shows my connection string with the username and password for my database. Just wondering what the proper way is to prevent this from happening.
     
    cfnut, Jul 18, 2008 IP
  2. unitedlocalbands

    unitedlocalbands Well-Known Member

    Messages:
    246
    Likes Received:
    3
    Best Answers:
    0
    Trophy Points:
    128
    #2
    You need to setup the error handling in an application.cfc file.

    That way when an error occurs the person viewing your site will see a generic error page like:

    "We sorry, but we had an error, Our support team has been notified."

    And the error will instead be emailed directly to you.

    heres a link to live docs to setup the application.cfc file
    http://livedocs.adobe.com/coldfusio...xt=ColdFusion_Documentation&file=00000692.htm

    Heres how you enable error handling:

    application.cfc
    

<cfcomponent output="no"> 
         <cfset this.name="">
         <cfset this.clientmanagement=""> 
         <cfset this.clientstorage="">
         <cfset this.sessionmanagement=""> 
         <cfset this.applicationTimeout=CreateTimeSpan(0,0,15,0)>
         <cfset this.sessiontimeout=CreateTimeSpan(0,0,15,0)>

[COLOR="Red"]This part in blue is how you setup error handling, the rest of the code here is to setup up the application.cfc page[/COLOR]
	   [COLOR="Blue"]<cferror type="exception" mailto="your@address.com" template="error.cfm">[/COLOR]	
   
  
    <cffunction name="onApplicationStart">

	</cffunction>
	
    
    <cffunction name="OnSessionStart" returntype="void">
    

    </cffunction>

    
 <cffunction name="OnRequestStart">
	 	<cfargument type="String" name="targetPage" required="true"/>		 
        <cfreturn true>
</cffunction>	   
     
     <cffunction name="onSessionEnd">
  	<cfargument name="sessionScope" type="struct" required="true">
    <cfargument name="appScope" type="struct" required="false">
  
</cffunction>
</cfcomponent>
    Code (markup):
     
    unitedlocalbands, Jul 22, 2008 IP
  3. phydiux

    phydiux Peon

    Messages:
    17
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    0
    #3
    Or, don't put your username and password in your <cfquery> tags.
     
    phydiux, Jul 23, 2008 IP
  4. cfnut

    cfnut Peon

    Messages:
    14
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #4
    are you saying to use variables?
     
    cfnut, Jul 23, 2008 IP
  5. cfnut

    cfnut Peon

    Messages:
    14
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #5
    unitedlocalbands do I replace my current application.cfm with application.cfc?
     
    cfnut, Jul 23, 2008 IP
  6. phydiux

    phydiux Peon

    Messages:
    17
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    0
    #6
    You don't need to replace your existing application.cfm - you can just put a <cferror> tag in that, up near the top of the file. It's usually under your <cfapplication> tag, if you've got one.

    I would suggest putting the database username and password in the CF administrator, instead of hardcoding it into your application or even using a variable.
     
    phydiux, Jul 24, 2008 IP
  7. unitedlocalbands

    unitedlocalbands Well-Known Member

    Messages:
    246
    Likes Received:
    3
    Best Answers:
    0
    Trophy Points:
    128
    #7
    The short answer is no... but I would think you will benefit form keeping up to date with coldfusion as it develops.

    I switched and have not looked back.
     
    unitedlocalbands, Jul 30, 2008 IP