Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 216
  • Last Modified:

where is the safest place to put the password to access sql server

I am moving our website back end from access to sql server and would like to know the best place to put the password to access the data.

below is a sample of what I am using now in application.cfm. Not sure how safe that will be when I go live.  the live site is hosted
<cfif server_name is  "127.0.0.1"><!--- local or dev server settings --->
		<cfset application.DS = "araxisql">
		<cfset application.dbuser = "cflocal">
		<cfset application.DBpass = "sdf7E48D">
		<cfset application.dbtype="sql server">		
 
	<cfelse><!--- live server settings --->
		<cfset application.DS = "araxi2">
		<cfset application.dbuser = "admin">
		<cfset application.DBpass = "">
		<cfset application.dbtype="access">

Open in new window

0
Shawn
Asked:
Shawn
  • 7
  • 6
1 Solution
 
ccareyCommented:
If you set it up as a Coldfusion datasource, then you don't need to specify the user/pass in your code to query the database since it's held inside CF admin. My 2 cents says not having it in your web app at all is safest.

Having said that, what you have there is fine under most circumstances - as long as your host doesn't have extended debug on. If that setting is checked, it has a nasty habit of blurting coldfusion code to the screen. The last thing you want is a helpful error message telling the world what your passwords are.
0
 
ShawnAuthor Commented:
just got a response from our host...they don't agree. any thoughts?

If you put your login details into the DSN then anyone else on the server can use it to access your database as well. Best to put this in your code. the normal practice is to store the DSN, username and password in a variable and pass that variable into your queries.
This was not an issue with MSACCESS as it is a file based database, so access to the file is restricted by the security sandboxes and general server security.
However this is not the case with an RDBMS such as MSSQL or MySQL.
0
 
ccareyCommented:
Ah well shared server is a different animal. In that case, store the vars in an external properties file that lives OUTSIDE the webroot and load it in at runtime.
0
Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

 
ShawnAuthor Commented:
I was going to close this but you mention OUTSIDE. Right now they are residing in application.cfm which is inside. How would I set up the variables outside in this case?
0
 
ccareyCommented:
if your application.cfm is in the root, put your vars in a file that lives outside the webroot and either include it (<cfinclude template="../vars.cfm">) , or use <cffile> to read the thing in and parse. I usually store this kind of thing in a text file and read them in as properties into a variable structure.
0
 
ShawnAuthor Commented:
ok, that's wierd....I set up a file vars.cfm and put it in the db folder (above the root), used the
(<cfinclude template="../db/vars.cfm">) in application.cfm and it loads but all the text has changed.

It looks like it's not reading the style.css anymore

      
0
 
ccareyCommented:
weird - did it throw an error something or dump out part way through? A <cfinclude> by itself won't influence whether the browser sees a css file
0
 
ShawnAuthor Commented:
not that I can see. it seems to have changed the order in the files loading. I'll add below my whole application.cfm in case you see something
<cfapplication sessionmanagement="Yes" setclientcookies="Yes" name="#server_name#" sessiontimeout="#createtimespan(0,1,0,0)#">
<!--- clear the cached variables if switch is sent --->
 
<!--- setup application variables --->
<cfif not isdefined('application.AppSettings')>
<cflock timeout="10" throwontimeout="No" type="EXCLUSIVE" scope="APPLICATION">
	<!--- set application variables depending on server --->
 
(<cfinclude template="../db/vars.cfm">) 
 
	
	<!--- set generic variables --->
 
	<cfif NOT isDefined("application.OutsideLink")>
    <cfset application.OutsideLink = cgi.HTTP_REFERER>
	</cfif>	
	<cfif listLen(application.OutsideLink,"/") gt 1>
	<cfset application.OutsideDomain = listGetAt(application.OutsideLink,2,"/")>
		<cfif left(application.OutsideDomain,4) is "www.">
   		<cfset application.OutsideDomain = listRest(application.OutsideDomain,".")>
		</cfif>
	<cfset application.OutsideQuery = listRest(application.OutsideLink,"/")>
	<cfset application.OutsideQuery = listRest(application.OutsideQuery,"/")>
	<cfelse>
   	<cfset application.OutsideDomain = "">
	<cfset application.OutsideQuery = "">
	</cfif>
 
	<cfset application.ProjectDownloads = "../members/ProjectDownloads/">
 
	<!--- set database specific attributes --->
	<cfif application.dbtype is "access">
		<cfset application.NOT = "NOT">
	<cfelseif application.dbtype is "sql server">
		<cfset application.NOT = "~"> 
	</cfif>
	<cfset appSettings = "set">
	<cfset application.ContentCacheTimespan = CreateTimeSpan(0, 1, 0, 0)>
	<cfset application.NewsCacheTimespan = CreateTimeSpan(0, 1, 0, 0)>
	
<cfif server_name contains "araxi.fr">
<cfset application.emaildomain = "araxi.fr">
<cfelseif server_name contains "127.0.0.1">
<cfset application.emaildomain = "111translations.com">
<cfelseif server_name contains "111translations.com">
<cfset application.emaildomain = "111translations.com">
<cfelseif server_name contains "araxi.co.uk">
<cfset application.emaildomain = "araxi.co.uk">
<cfelseif server_name contains "araxican.ca">
<cfset application.emaildomain = "araxican.ca">
<cfelse>
<cfset application.emaildomain = "araxi.co.uk">
</cfif>
	
	
</cflock>
 
 
	
</cfif>
<cfinclude template="act_setlanguage.cfm">

Open in new window

0
 
ShawnAuthor Commented:
content of vars.cfm
	<cfif server_name is  "127.0.0.2"><!--- local or dev server settings --->
		<cfset application.DS = "araxi3">
		<cfset application.dbuser = "admin">
		<cfset application.DBpass = "">
		<cfset application.dbtype="access"><!--- set to database type, (1)access (2)sql server --->
 
	<cfelseif server_name is  "127.0.0.1"><!--- local or dev server settings to access mock host db--->
		<cfset application.DS = "araxisql_dsp">
		<cfset application.dbuser = "cflocal_dsp">
		<cfset application.DBpass = "s">
		<cfset application.dbtype="sql server">
		
		<cfset application.DSHome = "araxisql"> <!--- local or dev server settings to access mock home db--->
		<cfset application.dbuserHome = "cflocal">
		<cfset application.DBpassHome = "sd">
		
		<cfelseif server_name is  "liveserverdomain"><!--- live server settings to access host db--->
		<cfset application.DS = "dsnAraxi111_host">
		<cfset application.dbuser = "sfadmin">
		<cfset application.DBpass = "sdf">
		<cfset application.dbtype="sql server">
			
		<cfset application.DSHome = "dsnAraxi111_home"> <!--- live server settings to access home db--->
		<cfset application.dbuserHome = "cflocal">
		<cfset application.DBpassHome = "sdf7">
 
	<cfelse><!--- live server settings --->
		<cfset application.DS = "araxi2">
		<cfset application.dbuser = "admin">
		<cfset application.DBpass = "">
		<cfset application.dbtype="access"><!--- set to database type, (1)access (2)sql server --->
 
	</cfif>

Open in new window

0
 
ShawnAuthor Commented:
ok, fixed took out the brackets around (<cfinclude template="../db/vars.cfm">)

<cfinclude template="../db/vars.cfm">

didn't know brackets could have such an effect.
0
 
ccareyCommented:
the ( ) would have turned up in your markup and invalidated the html markup. If you wrapped that routine in <cfsilent> you'd be ok with or without brackets
0
 
ShawnAuthor Commented:
so that's what silent does. thanks for all the advice. will keep it out of the root from now on.

Shawn
0
 
ccareyCommented:
no probs
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 7
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now