3 Replies - 617 Views - Last Post: 25 January 2011 - 08:10 AM Rate Topic: -----

#1 AldoRaine  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 4
  • Joined: 17-January 11

New to ColdFusion - general question

Posted 25 January 2011 - 01:08 AM

I am in the early stages of learning ColdFusion. At this point I am beginning to understand the fundamentals of the language. That said I have a question that is well beyond where I am currently. The question basically deals with a database administration page – edit, delete, add data into the site’s database(s). With enough “sniffing,” and perhaps a little luck, couldn’t someone find the administration page? Would they then be able to manipulate data?

I’m guessing this is where sessions or cookies would come into play?

Is This A Good Question/Topic? 0
  • +

Replies To: New to ColdFusion - general question

#2 Craig328  Icon User is offline

  • I make this look good
  • member icon

Reputation: 1888
  • View blog
  • Posts: 3,427
  • Joined: 13-January 08

Re: New to ColdFusion - general question

Posted 25 January 2011 - 06:59 AM

Welcome to D.I.C. Aldo!

Quote

With enough “sniffing,” and perhaps a little luck, couldn’t someone find the administration page? Would they then be able to manipulate data?

I’m guessing this is where sessions or cookies would come into play?


Indeed they could. There are a couple of ways to defeat those efforts.

To start, if you're using Adobe CF then the administrator access is typically at a URL like this: http://yourDomain.co...ator/index.cfm. When you get to that page you need to log in. So, you change the login and password and make both sufficiently difficult to guess (combination of alphanumeric characters...something like "c@NtGu3S5tH1s!" for a password for example).

Also, you configure your web server to restrict access to the administrator folder altogether. Couple that with the Sandbox security settings and you can make your administrator subdirectory entirely inaccessible if you like.

I've also seen someone rename the index.cfm page itself making it inaccessible unless you rename it back to index.cfm or know what it was you changed it to.

Keep in mind two additional things though. If you don't secure the server itself then all of the things you do to secure the CF deployment can be undone rather easily. The security chain is only as good as it's weakest link. Also, your post mentioned a specific concern about "edit, delete, add data into the site’s database(s)". Typically, you don't do those functions via the administrator. Insofar as the CF admin goes, you set up the data sources you're going to use and give them alias names that you can use in your CF applications. The actual editing, adding and deleting of data is usually done via use of the CFQUERY tag in your applications themselves. This means you're going to want to familiarize yourself with a practice known as SQL injection attacks. Simply put, a SQL injection attack is a user exploiting a code weakness in your application wherein they try and append SQL code to URL and/or form elements. Luckily, pretty much all of those can be stopped dead in their tracks by use of the CFQUERYPARAM tag and by getting in the habit of scoping your variables.

You mentioned you're a beginner. Welcome to the world of CF development! We've put together a thread entitled Coldfusion Resources that should be quite a bit of help to you as you get yer CF on. If you run into a problem that you can't get solved by accessing the resources there, please post it here and we'll be glad to help you out.

Good luck!
Was This Post Helpful? 0
  • +
  • -

#3 AldoRaine  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 4
  • Joined: 17-January 11

Re: New to ColdFusion - general question

Posted 25 January 2011 - 07:26 AM

Thanks so much! You have been a great deal of help already. I am sure I will be back soon with more questions, and I will certainly check out the information provided.

I am teaching myself - Ben Forta's books and Lynda.com. I have been doing web design for years now, but as of late, have really become interested in the server side of things. I thought long and hard about starting out with PHP, (and I will, at some point, learn it as well) but ColdFusion has some great features that, I think, might broaden my horizon from a career standpoint - hoping, anyway. Of course, the guy that does most of the coding for my sites says I'm nuts - he's a PHP guy.
Was This Post Helpful? 0
  • +
  • -

#4 Craig328  Icon User is offline

  • I make this look good
  • member icon

Reputation: 1888
  • View blog
  • Posts: 3,427
  • Joined: 13-January 08

Re: New to ColdFusion - general question

Posted 25 January 2011 - 08:10 AM

Well, to be entirely fair, PHP does have a number of things that make it an attractive option. It's "free". It has a large deployment base. It has a lot of users. That said, CF also has a fair number of advantages. Its tag based language is much easier to learn and makes development of complex applications a much quicker job than if you tried to do the same thing with PHP. Development time for each language for identical projects normally comes out to CF taking around half to one third the time.

CF has a lot of built in features that you'd have to "hand code" in PHP. Now, PHP does have a lot of libraries wherein you can find and download modules that encapsulates a function similar to having a specific tag do it for you in CF. Unfortunately, those modules are not standardized across the language meaning that you can have several different modules out there (or you can build you own) that all do essentially the same thing. For ongoing maintenance concerns, this isn't quite so good.

CF also has "free" and open source platforms now as well...so what used to be the downside of CF (the cost) is pretty much eliminated now. Personally, I use the open source version of CF (BlueDragon) for my personal dev projects and I use CF9 for my current contracts. The language I use is 98% identical between the two.

Anyway, if you're sticking to Forta's books, you're on the right track already. Keep plugging away and you should be good to go in short order.
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1