RE: ODBC 7.0006 bugs - Mailing list pgsql-odbc

From Henshall, Stuart - WCP
Subject RE: ODBC 7.0006 bugs
Date
Msg-id E2870D8CE1CCD311BAF50008C71EDE8E01F74609@MAIL_EXCHANGE
Whole thread Raw
In response to ODBC 7.0006 bugs  ("David Ciarniello" <brainlost@rocketmail.com>)
List pgsql-odbc

> -----Original Message-----
> From:    David Ciarniello [SMTP:brainlost@rocketmail.com]
> Sent:    Friday, July 06, 2001 11:56 AM
> To:    Henshall, Stuart - WCP
> Cc:    pgsql-odbc@postgresql.org
> Subject:    R: ODBC 7.0006 bugs
>
>
    Makes me glad I havn't used the parse option (what is it for?)

> > 3) I can see you're point. However I tend not to use DSN's but
> > rather connection strings so its helpful to be able to turn on logging
> with
> > out editing the program.
>
> Can't we move all settings on a datasource basis continuing to support
> all parametrs on connection strings ?
>
    I was meaning so that I didn't have to change my connect string at
all. Maybe having all the options available as driver defaults which are
only overwritten if they are also in the datasource string. I must admit I
don't really know about the drivers internals so have no idea how tricky
that would be.

> > 5) I disagree. If I'm having problems connecting I want to see all
> > the options in the connection string. Don't log when you're not
> debugging,
> > it slows everything down.
>
> You can find the authentication response into the backend logs (like the
> (in)famous "password authentication failed for user admin")
>
    yes, but it doesn't give the ODBC side of the story.

> Instead somebody could activate the logger without my authorization
> (consider a pc that shares the hard drive, just put the right reg file
> into
> the startup folder and wait for the next reboot - considering win9x
> stability you don't have to wait too much :-)) - so that the log can be
> produced... you can grab the password from a network environment even
> without ever seeing that pc).
> I think it's a security risk.
>
        True. Howeversomeone could just make a little alteration to
the source, recompile the ODBC driver then drop it into \windows\system.
Having sensitive areas of the disk shared is inherently unsafe. Or someone
could write a wrapper DLL that just passed everything along while grabbing
the PWD. Or drop a Trojan into your startup to expose your PC. I suppose
these would be trickier, but not ridiculously so. Maybe have two driver
builds. A production model that disables logging (plus anything else deemed
a risk) and a developer version that allows it to be enabled. I really must
get MSVC so I can fiddle with the driver like this.
    - Stuart


pgsql-odbc by date:

Previous
From: "David Ciarniello"
Date:
Subject: R: ODBC 7.0006 bugs
Next
From: "David Ciarniello"
Date:
Subject: R: ODBC 7.0006 bugs