Jörg,

You can override the connection string stored in the database by specifying a different CONNSTRING when USEing a remote view.

USE YourRemoteView CONNSTRING "a connection string that you can decrypt on the fly"

The connection string can also be a numeric handle referencing an ODBC connection as returned by an SQL*CONNECT() function.


>Hi Dragan,
>
>Connections can be easily created by Create Connection and can be modified by dbsetprop(). That's not the Problem ;)
>
>We use partly Remote Views, and the remote views are using the Connection, which ist stored in the DBC...
>
>>>>Hi!
>>>>
>>>>Since many years we are connecting to the SQL Server. Authentication is performed using Windows Authentication.
>>>>But now we need to specify the user and password for a special project in the connection string. So far no problem.
>>>>But we create a connection in the DBC, and logically the connection string is stored in this connection. And therefore also the user and the password in plain text.
>>>>Means with dbGetProp() this can be read out easily. Or from the outside with a Hex-Editor on the DBC. So this is a security hole!
>>>>Does anyone have an idea how to get around this?
>>>
>>>Is there any chance to hand pwd and user as a variable to the connection?
>>
>>I doubt it. The one thing I remember about connection stored in a dbc is that it's unwieldy, unmovable and you can't change it programmatically, you must use the editor.
>>
>>So... why not a connection string? It can be stored in an encrypted textfile and decrypted from inside the app. I've seen this done and it was in an environment very careful about security.