>>Hi!
>>
>>Since many years we are connecting to the SQL Server. Authentication is performed using Windows Authentication.
>>But now we need to specify the user and password for a special project in the connection string. So far no problem.
>>But we create a connection in the DBC, and logically the connection string is stored in this connection. And therefore also the user and the password in plain text.
>>Means with dbGetProp() this can be read out easily. Or from the outside with a Hex-Editor on the DBC. So this is a security hole!
>>Does anyone have an idea how to get around this?
>
>Is there any chance to hand pwd and user as a variable to the connection?
I doubt it. The one thing I remember about connection stored in a dbc is that it's unwieldy, unmovable and you can't change it programmatically, you must use the editor.
So... why not a connection string? It can be stored in an encrypted textfile and decrypted from inside the app. I've seen this done and it was in an environment very careful about security.