[thesite] UEUE v.0.2 Update
isaac
isaac at members.evolt.org
Mon Nov 5 20:21:17 CST 2001
> We're bound to eventually forget to take out the instances (would be every
> cfquery tag, no?) where we have the password in the code.
No, you could set both of them in the application.cfm as is usually done
with the datasource name. i.e., only need to remove it from one place.
> And I don't want to ever have to say to a member "yeah you could help out,
> but i don't want you to see our database password, so no dice." And, if
> you *don't* say that, I think we get into screening issues.
As it is, anyone given access can run a query and grab any password from the
db anyway, right?
It's one extra level of security with few drawbacks (I'd guess; or is there
a performance hit?), so I see no real reason not to add it.
If we don't put something like this in place, perhaps we should put a
disclaimer on the sign-up form: Don't use any passwords you also use for
internet banking, your own server, etc, because anyone with a MEO account
can grab passwords from WEO whenever they'd like (is that correct?!). For
some, it's commonsense to use a less-critical password for stuff like that,
but many people might not think of that.
I've not followed the UEUE gear enough to comment on the viability/necessity
of that at this stage.
isaac
--------------------------------------------------------------
triple zero digital | upstairs at 200 the parade, norwood 5067
(08)83320545 | www.triplezero.com.au | isaac at triplezero.com.au
More information about the thesite
mailing list