Thank you for your suggestion.
1. Does the pgExpress work with VB?
2. Should the commonly used win 32 ODBC consider some way to stop the leak
I'm talking about? My suggestion : mylog can be enabled only when the user
(the one who wants to enable the log) has the rights at the server side. So
each connection will has different rights and mylogs.
-Jason
----- Original Message -----
From: "Chris Gamache" <cgg007@yahoo.com>
To: "pg" <pg@newhonest.com>; <pgsql-odbc@postgresql.org>
Sent: Wednesday, March 19, 2003 11:31 PM
Subject: Re: [ODBC] password leak in mylog thru win odbc
> Several suggestions:
>
> Use a different authentication method like Ident... That won't work if
you've
> already implimented a widespread password authentication system, though.
>
> Modify the code to the ODBC driver to obscure the password from logs. That
> might make it hard to troubleshoot authentication issues, though. It also
won't
> help if you're distributing this application. All the user would have to
do is
> to install a different pgodbc driver without the obscured logfiles, and
you're
> back to square one.
>
> Upgrade to Windows 2000/XP and put the logfile in a directory with
write-only
> access for the system account that ODBC runs under (system I think...
don't
> take my word for it, though) and only allow reading by administrator or
your
> super user account... That won't help if you're distributing an
application.
>
> Ditch ODBC altogether and use pgExpress from www.vitavoom.com. It uses
libpq
> for native access to PostgreSQL. There are no hooks for the user to get
into
> there, AFAIK...
>
> HTH,
>
> CG
>
>
> --- pg <pg@newhonest.com> wrote:
> > I'm using Win ME. I'm trying to write a program in VB and connects to PG
> > with super-user account (or with a "connection user" with many rights).
The
> > detail user rights are embeded in the VB program for detail control, so
that
> > no one should know the connection user. Users only knows their own
password
> > for that VB program, so their password is only useful with that VB
program.
> >
> > But if a user enable the mylog in odbc, the password (pwd) shows up
there in
> > mylogxxxxx.
> >
> > What can I do to hide the password?
> >
> > -Jason
> >
> >
> > ---------------------------(end of broadcast)---------------------------
> > TIP 4: Don't 'kill -9' the postmaster
>
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop!
> http://platinum.yahoo.com
>