[thelist] ASP:: Personal Info > Write to Text or Email off?
Martin
martin at members.evolt.org
Sat Apr 27 04:48:01 CDT 2002
On Saturday, April 27, 2002, at 12:53 am, kevin D. white wrote:
> But would you really store personal info in a text file on the same
> box as the Web server? From a security standpoint Email has got to be
> the
> safer of the two.
There've been enough examples of customer information becoming
exposed via a URL for a plain text file to be just bonkers. Mind you,
if you store it outwith the URL structure, you're going to be a lot
safer,
but I don't know if you can do that with IIS (on a Unix system it's
trivial).
> This is just so frustrating. I can't fathom why my
> client thinks a text file is okay if a database is not.
I think it's been mentioned already, but I really think it's more
the case that the member of client staff you're dealing with is
trying to sneak this past IT. I've worked in a similar situation,
and the reason for the db ban is likely that all db work has
to go through proper development and testing by the client's
own IT staff, probably using something muscular like Oracle.
However, getting the IT staff to do this takes budget (internal
cross-charges are often more expensive to a departmental
budget than external charges), and being in a queue for their
time.
Look, here's a possibility - agree to the text file, on the condition
that you have explicit, written, sign-off from the IT dept on it,
and explicit, written signoff from the client that you advised against
it. This will give you CYA in both directions.
Cheers
Martin
_______________________________________________
email: martin at easyweb.co.uk PGP ID: 0xA835CCCB
martin at members.evolt.org snailmail: 30 Shandon Place
tel: +44 (0)774 063 9985 Edinburgh,
url: http://www.easyweb.co.uk Scotland
More information about the thelist
mailing list