Shawn
asked on
where is the safest place to put the password to access sql server
I am moving our website back end from access to sql server and would like to know the best place to put the password to access the data.
below is a sample of what I am using now in application.cfm. Not sure how safe that will be when I go live. the live site is hosted
below is a sample of what I am using now in application.cfm. Not sure how safe that will be when I go live. the live site is hosted
<cfif server_name is "127.0.0.1"><!--- local or dev server settings --->
<cfset application.DS = "araxisql">
<cfset application.dbuser = "cflocal">
<cfset application.DBpass = "sdf7E48D">
<cfset application.dbtype="sql server">
<cfelse><!--- live server settings --->
<cfset application.DS = "araxi2">
<cfset application.dbuser = "admin">
<cfset application.DBpass = "">
<cfset application.dbtype="access">
ASKER
just got a response from our host...they don't agree. any thoughts?
If you put your login details into the DSN then anyone else on the server can use it to access your database as well. Best to put this in your code. the normal practice is to store the DSN, username and password in a variable and pass that variable into your queries.
This was not an issue with MSACCESS as it is a file based database, so access to the file is restricted by the security sandboxes and general server security.
However this is not the case with an RDBMS such as MSSQL or MySQL.
If you put your login details into the DSN then anyone else on the server can use it to access your database as well. Best to put this in your code. the normal practice is to store the DSN, username and password in a variable and pass that variable into your queries.
This was not an issue with MSACCESS as it is a file based database, so access to the file is restricted by the security sandboxes and general server security.
However this is not the case with an RDBMS such as MSSQL or MySQL.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I was going to close this but you mention OUTSIDE. Right now they are residing in application.cfm which is inside. How would I set up the variables outside in this case?
if your application.cfm is in the root, put your vars in a file that lives outside the webroot and either include it (<cfinclude template="../vars.cfm">) , or use <cffile> to read the thing in and parse. I usually store this kind of thing in a text file and read them in as properties into a variable structure.
ASKER
ok, that's wierd....I set up a file vars.cfm and put it in the db folder (above the root), used the
(<cfinclude template="../db/vars.cfm"> ) in application.cfm and it loads but all the text has changed.
It looks like it's not reading the style.css anymore
(<cfinclude template="../db/vars.cfm">
It looks like it's not reading the style.css anymore
weird - did it throw an error something or dump out part way through? A <cfinclude> by itself won't influence whether the browser sees a css file
ASKER
not that I can see. it seems to have changed the order in the files loading. I'll add below my whole application.cfm in case you see something
<cfapplication sessionmanagement="Yes" setclientcookies="Yes" name="#server_name#" sessiontimeout="#createtimespan(0,1,0,0)#">
<!--- clear the cached variables if switch is sent --->
<!--- setup application variables --->
<cfif not isdefined('application.AppSettings')>
<cflock timeout="10" throwontimeout="No" type="EXCLUSIVE" scope="APPLICATION">
<!--- set application variables depending on server --->
(<cfinclude template="../db/vars.cfm">)
<!--- set generic variables --->
<cfif NOT isDefined("application.OutsideLink")>
<cfset application.OutsideLink = cgi.HTTP_REFERER>
</cfif>
<cfif listLen(application.OutsideLink,"/") gt 1>
<cfset application.OutsideDomain = listGetAt(application.OutsideLink,2,"/")>
<cfif left(application.OutsideDomain,4) is "www.">
<cfset application.OutsideDomain = listRest(application.OutsideDomain,".")>
</cfif>
<cfset application.OutsideQuery = listRest(application.OutsideLink,"/")>
<cfset application.OutsideQuery = listRest(application.OutsideQuery,"/")>
<cfelse>
<cfset application.OutsideDomain = "">
<cfset application.OutsideQuery = "">
</cfif>
<cfset application.ProjectDownloads = "../members/ProjectDownloads/">
<!--- set database specific attributes --->
<cfif application.dbtype is "access">
<cfset application.NOT = "NOT">
<cfelseif application.dbtype is "sql server">
<cfset application.NOT = "~">
</cfif>
<cfset appSettings = "set">
<cfset application.ContentCacheTimespan = CreateTimeSpan(0, 1, 0, 0)>
<cfset application.NewsCacheTimespan = CreateTimeSpan(0, 1, 0, 0)>
<cfif server_name contains "araxi.fr">
<cfset application.emaildomain = "araxi.fr">
<cfelseif server_name contains "127.0.0.1">
<cfset application.emaildomain = "111translations.com">
<cfelseif server_name contains "111translations.com">
<cfset application.emaildomain = "111translations.com">
<cfelseif server_name contains "araxi.co.uk">
<cfset application.emaildomain = "araxi.co.uk">
<cfelseif server_name contains "araxican.ca">
<cfset application.emaildomain = "araxican.ca">
<cfelse>
<cfset application.emaildomain = "araxi.co.uk">
</cfif>
</cflock>
</cfif>
<cfinclude template="act_setlanguage.cfm">
ASKER
content of vars.cfm
<cfif server_name is "127.0.0.2"><!--- local or dev server settings --->
<cfset application.DS = "araxi3">
<cfset application.dbuser = "admin">
<cfset application.DBpass = "">
<cfset application.dbtype="access"><!--- set to database type, (1)access (2)sql server --->
<cfelseif server_name is "127.0.0.1"><!--- local or dev server settings to access mock host db--->
<cfset application.DS = "araxisql_dsp">
<cfset application.dbuser = "cflocal_dsp">
<cfset application.DBpass = "s">
<cfset application.dbtype="sql server">
<cfset application.DSHome = "araxisql"> <!--- local or dev server settings to access mock home db--->
<cfset application.dbuserHome = "cflocal">
<cfset application.DBpassHome = "sd">
<cfelseif server_name is "liveserverdomain"><!--- live server settings to access host db--->
<cfset application.DS = "dsnAraxi111_host">
<cfset application.dbuser = "sfadmin">
<cfset application.DBpass = "sdf">
<cfset application.dbtype="sql server">
<cfset application.DSHome = "dsnAraxi111_home"> <!--- live server settings to access home db--->
<cfset application.dbuserHome = "cflocal">
<cfset application.DBpassHome = "sdf7">
<cfelse><!--- live server settings --->
<cfset application.DS = "araxi2">
<cfset application.dbuser = "admin">
<cfset application.DBpass = "">
<cfset application.dbtype="access"><!--- set to database type, (1)access (2)sql server --->
</cfif>
ASKER
ok, fixed took out the brackets around (<cfinclude template="../db/vars.cfm"> )
<cfinclude template="../db/vars.cfm">
didn't know brackets could have such an effect.
<cfinclude template="../db/vars.cfm">
didn't know brackets could have such an effect.
the ( ) would have turned up in your markup and invalidated the html markup. If you wrapped that routine in <cfsilent> you'd be ok with or without brackets
ASKER
so that's what silent does. thanks for all the advice. will keep it out of the root from now on.
Shawn
Shawn
no probs
Having said that, what you have there is fine under most circumstances - as long as your host doesn't have extended debug on. If that setting is checked, it has a nasty habit of blurting coldfusion code to the screen. The last thing you want is a helpful error message telling the world what your passwords are.