Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Why does the ODBC driver expect the password in a connection string to be URL-encoded? #42

Open
omeuid opened this issue Sep 16, 2024 · 2 comments
Open

Why does the ODBC driver expect the password in a connection string to be URL-encoded? #42

omeuid opened this issue Sep 16, 2024 · 2 comments

Comments

@omeuid
Copy link
Contributor

omeuid commented Sep 16, 2024

ODBC driver expects the password in a connection string to be URL-encoded but I don't find any reason to do that.

This requirement could lead to connection issues when client applications (like Microsoft PowerBI) request the credentials from the user and create a connection string in the following way:

  • "DSN=myDSN;UID=myUser;PWD=myPass;"

If the password contains characters that need to be encoded and the application does not perform any of the following changes the connection will fail:

  • Encode password as the driver requires.
  • Send the password in the connection string between brackets.

Currently, to avoid this issue there are two alternatives:

  • Make the final user to encode their password.
  • Change the client application to encode the password properly.

The first option does not seem feasible many users are using the application. Also, the second option cannot be achieved by generic ODBC clients (for example, Microsoft PowerBI with the generic ODBC connector), as the client could not know this requirement.

I would suggest removing the encode and decode methods included in dlg_specific.c file.

Notes:

  • The option conn_settings was required to be URL-Encoded in the past, but this requirement was removed in this commit.
    • Why? and Why not with the password?
  • This problem does not happen if the credentials stored in the DSN are used.
  • Microsoft ODBC documentation of SQLDriverConnect function
    • If this requirement is removed, the client could use the ODBC specification to determine if the password must be sent between brackets.
  • Reviewed useful information in this message from the mailing list.

Please, feel free to ask anything which is not clear with my description.
@davecramer
Copy link
Contributor

Sorry for the late response.

How else would you put special characters in the password ?

@omeuid
Copy link
Contributor Author

omeuid commented Sep 27, 2024

You could use passwords with special characters like '+', '%' or '$' without requiring to URL-encode those values.

Why do you assume that using one of those characters in the password is a problem?

A generic ODBC client(for any ODBC driver) does not know this kind of requirements for this specific driver. It will use the ODBC api requirerments (See comments section).

So, when a client asks for user credentials, the following connection strings could be created.

  • If the password contains a special character like '+' --> DSN=mydsn;UID=myUser;PWD=my+pass
  • If the password contains a special character like ';' or '=' --> DSN=mydsn;UID=myUser;PWD={my;pass}
  • If the password contains a special character like ';' or '=' and also a bracker '}' --> DSN=mydsn;UID=myUser;PWD={my;}}pass}

The first scenario fails with the current implementation of the driver (the '+' symbol should be URL-escaped).

Please, feel free to ask me anything which is not clear enough.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@davecramer @omeuid