Database Security

Anyone know the pros and cons of setting up a db connection as described below? I could not find the info with Google. I am setting up a website that will have three separate MySql databases. Db1 is used in the public area, db2 is used in the value added area (a visitor is required to obtain a username and password), and db3 is where the staff maintain the website. From a security standpoint, does it make any difference if I create one database connection and call my queries as follows: <cfquery name="q1" dbname=db1"" datasourcet="theConn"> <cfquery name="q2" dbname=db2"" datasourcet="theConn"> <cfquery name="q3" dbname=db3"" datasourcet="theConn"> or would this be more secure (three separate connections): <cfquery name="q1" dbname=db1"" datasourcet="Conn1"> <cfquery name="q2" dbname=db2"" datasourcet="Conn2"> <cfquery name="q3" dbname=db3"" datasourcet="Conn3"> Also, which way would be faster? thank you

Fixed some syntax errors. ----- Excess quoted text cut - see Original Post for more -----

----- Excess quoted text cut - see Original Post for more ----- Given the exact code above, the second approach would be more secure, but this doesn't really have anything to do with datasources. Instead, it's about logins - since you didn't specify a username and password in CFQUERY, you've embedded the login credentials in the datasource. The key is to use logins that have the minimal rights necessary, so that if a login is compromised (by, say, an SQL injection attack) it can't do anything beyond what it should be able to do. > Also, which way would be faster? In general, the first approach would perform better, since it could reuse existing database connections more easily. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information!

> the staff maintain the website. From a security standpoint, does it make > any difference if I create one database connection and call my queries as > follows or would this be more secure (three separate connections): With a single connection connecting to multiple databases, there is a greater chance a single SQL injection will be able to reach everything. -- Helping to paradigmatically revolutionize enterprise communities as part of the IT team of the year, '09 and '08 **************************************************** This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB.  A list of members is available for inspection at the registered office together with a list of those non members who are referred to as partners.  We use the word ?partner? to refer to a member of the LLP, or an employee or consultant with equivalent standing and qualifications. Regulated by the Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged.  If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents.   If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.co