[Date Prev][Date Next][Thread Prev][Thread Next]
[Author Index] [Date Index] [Thread Index]
[SQR-USERS Info] [SQRUG Home Page]

Re: Any other way to supply userid/password?

Subject: Re: Any other way to supply userid/password?
From: Tony DeLia <tdelia@EROLS.COM>
Date: Tue, 11 May 1999 21:19:08 -0400
Organization: Tony DeLia
References: <3.0.3.32.19990511112544.00f0cb60@mail.nctimes.net> <3.0.3.32.19990511173516.00ec8d30@mail.nctimes.net>

Dave,

   I use WinBatch... It's great for SQR security... Here's an example:

A client had remote locations that needed several SQR update/reporting
programs... I set up a WinBatch 'panel' that allowed them to select one
or more SQR to processes via checkboxes... they could either enter the
userid/password (and database)... if none were entered they can be
concealed (encrypted) within the WinBatch compiled program (*.exe)...
The SQR programs were also compiled as SQT's so the users couldn't
tamper with the source code... Multiple SQR processes were submitted one
after the other... You can do some pretty neat things with WinBatch... I
like the registry functions... and binary I/O functions... etc...

                                Tony DeLia

David Donnelly wrote:
>
>         Thanks for the ideas on this subject.  I don't have an elegant 
>solution so far.  Here are the suggestions:
>
> >1) Define an environment variable and then reference it with
> >   %my_var% in your .BAT file.  This is limiting since it
> >   requires that the variable be defined in the environment
> >   and therefore is visible to any user.  If you're less
> >   worried about users seeing it than you are about people
> >   who can simply browse the file system where the bat files
> >   are created, this may be a viable solution for you.
>
>         I have done this in the past, and it works, but it's insecure.  I 
>think it's less secure than passing the connect info in even a hidden file, as 
>it stays around when the job is not running.

>
> >
> >2) A much more complicated solution is to write your own little
> >   C program which invokes SQR and passes the username and password
> >   to it.  The C program could then read an encrypted username and
> >   password from a visible file, decrypt it, and then invoke SQR.
>
>         This is what I'm doing now, and am trying to simplify.  We link a 
>front end onto SQR itself, but this requires that we send our clients updates 
>rather than let them deal with Sqribe themselves.  I did write a calling 
>program (in SQR, not C!!) and it works OK in NT, but seemed to have some 
>problems in Windows 95.  But a C program is probably how I'll have to go.
>
> >If you use the process scheduler you can pass 'em in on the command line via
> metastrings.
>
>         Thanks, this isn't a PeopleSoft situation.  I suppose this is kinda 
>like the environment variable technique, above.  Hey, anybody ever use 
>WinBatch?  Would that help?
>
> >>I don't know how easy this would be for you, but since SQR allows you to
> "connect" to a new Userid/password combination, you could create a user which 
>is
> very restricted, and the only access is to a table which contains the 
>encrypted
> id/password.  SQR would retrieve this, decrypt it (either a simple crypt which
> you could write in SQR, or a complex one with a custom function) and issue the
> connect command.  This would be slightly more secure than #1 and more or less
> than #2 depending on how much work you would like to do...
>
>         This was so exciting I tried it right away.  Alas, SQR won't compile 
>my programs because it can't find any of the tables during the parse.  I can't 
>use compiled SQR for other reasons.  Dynamic SQL would work but I'm not up for 
>rewriting it all.
>
>         I also tried just using a slash and -xl but if you do this you can't 
>put any sql in the program.
>
> >>You can also place all of your report input parms in a file (including the
> password/id field) and specify @filename.dat on the command line.   The batch 
>or
> SQR programs could then delete the file when it's done.  You can also combine
> some of these as you see fit!
>
>         This would be perfect but it didn't work for me ... if I have "sqrw 
>programname @x.dat" SQR pops up a dialog box to ask for the userid/password 
>...  Anyone have a different invocation that lets you get the connectivity 
>info from a file?
>
>         Thanks, and keep 'em coming, I'll try 'em.  Did anyone ever ask 
>Sqribe why this isn't supported?
>
> Dave Donnelly           <dave@isisbio.com>  or  <isisdave@usa.net>
> ISIS BioComp            phone (909) 677-2446      fax (909) 677-3991

--
Tony DeLia
AnswerThink Consulting Group
PeopleSoft Solutions Practice - Delphi Partners
tdelia@erols.com
http://www.sqrtools.com

Follow-Ups:
- Re: Any other way to supply userid/password?
  - From: David Donnelly <Dave@ISISBIO.COM>

References:
- Any other way to supply userid/password?
  - From: David Donnelly <Dave@ISISBIO.COM>
- Re: Any other way to supply userid/password?
  - From: David Donnelly <Dave@ISISBIO.COM>

Prev by Date: Re: Any other way to supply userid/password?
Next by Date: Gantt Chart ..
Previous by thread: Re: Any other way to supply userid/password?
Next by thread: Re: Any other way to supply userid/password?
Indexes: [ Thread] [ Author] [ Date]
SQR-USERS List and Archive Info
SQRUG Home Page