Skip site navigation (1) Skip section navigation (2)

RE: ODBC 7.0006 bugs

From: "Henshall, Stuart - WCP" <SHenshall(at)westcountrypublications(dot)co(dot)uk>
To: "'David Ciarniello'" <brainlost(at)rocketmail(dot)com>, "Henshall, Stuart - WCP" <SHenshall(at)westcountrypublications(dot)co(dot)uk>
Cc: pgsql-odbc(at)postgresql(dot)org
Subject: RE: ODBC 7.0006 bugs
Date: 2001-07-06 11:42:24
Message-ID: E2870D8CE1CCD311BAF50008C71EDE8E01F74609@MAIL_EXCHANGE (view raw or flat)
Thread:
Lists: pgsql-odbc

> -----Original Message-----
> From:	David Ciarniello [SMTP:brainlost(at)rocketmail(dot)com]
> Sent:	Friday, July 06, 2001 11:56 AM
> To:	Henshall, Stuart - WCP
> Cc:	pgsql-odbc(at)postgresql(dot)org
> Subject:	R: ODBC 7.0006 bugs
> 
> 
	Makes me glad I havn't used the parse option (what is it for?) 

> > 3) I can see you're point. However I tend not to use DSN's but
> > rather connection strings so its helpful to be able to turn on logging
> with
> > out editing the program.
> 
> Can't we move all settings on a datasource basis continuing to support
> all parametrs on connection strings ?
> 
	I was meaning so that I didn't have to change my connect string at
all. Maybe having all the options available as driver defaults which are
only overwritten if they are also in the datasource string. I must admit I
don't really know about the drivers internals so have no idea how tricky
that would be.

> > 5) I disagree. If I'm having problems connecting I want to see all
> > the options in the connection string. Don't log when you're not
> debugging,
> > it slows everything down.
> 
> You can find the authentication response into the backend logs (like the
> (in)famous "password authentication failed for user admin")
> 
	yes, but it doesn't give the ODBC side of the story.

> Instead somebody could activate the logger without my authorization
> (consider a pc that shares the hard drive, just put the right reg file
> into
> the startup folder and wait for the next reboot - considering win9x
> stability you don't have to wait too much :-)) - so that the log can be
> produced... you can grab the password from a network environment even
> without ever seeing that pc).
> I think it's a security risk.
> 
		True. Howeversomeone could just make a little alteration to
the source, recompile the ODBC driver then drop it into \windows\system.
Having sensitive areas of the disk shared is inherently unsafe. Or someone
could write a wrapper DLL that just passed everything along while grabbing
the PWD. Or drop a Trojan into your startup to expose your PC. I suppose
these would be trickier, but not ridiculously so. Maybe have two driver
builds. A production model that disables logging (plus anything else deemed
a risk) and a developer version that allows it to be enabled. I really must
get MSVC so I can fiddle with the driver like this.
	- Stuart


Responses

pgsql-odbc by date

Next:From: David CiarnielloDate: 2001-07-06 18:37:51
Subject: R: ODBC 7.0006 bugs
Previous:From: David CiarnielloDate: 2001-07-06 10:56:22
Subject: R: ODBC 7.0006 bugs

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group