================================================ SearchDatabase.com's Database Developer June 6, 2001 ================================================ Welcome to the searchDatabase.com Database Developer newsletter! Today's tip, "Call tracing with ODBC 3.0" can also be viewed online at: http://www.searchDatabase.com/tip/1,289483,sid13_gci558147,00.html ------------------------------------------------ LEARNING ZONE FEATURED BOOK OF THE WEEK ------------------------------------------------ "JSP, Servlets, and MySQL" By David Harms This book explains how to install and use servlets and JavaServer Pages (using the Tomcat reference implementation), how to create, maintain, and use MySQL (and other SQL) databases, and how to deliver dynamic data. It details a complete database-driven web strategy including authentication, user tracking, surveys and discussion areas, and automated user assistance. http://www.digitalguru.com/dgstore/product.asp?isbn=0764547879&ac_id=58 ************************************************ "Call tracing with ODBC 3.0" By Benjamin Vigil As any developer will tell you, writing code is the easy part--finding the mistakes in the code is what keeps programmers awake at night. Reading code over and over again, looking for one missing semi-colon, can cause programmers to question their choice of profession. So any tool that helps with troubleshooting should be utilized to its fullest potential. One such tool is the call tracing feature of Microsoft's recent ODBC 3.0 software release. Call tracing was introduced in ODBC 2.0 at the behest of developers and support organizations as a means of logging troubleshooting information. ODBC stands for Open Database Connectivity, and is an open standard API for accessing databases. ODBC can access information in a variety of different databases by converting the request to a form of SQL that the respective databases can understand. Call tracing is disabled by default, but can be enabled in the Control Panel of ODBC Driver Manager. Call tracing's designers intended it to be a controlled way to test an application's ODBC calls on a client. Once call tracing is enabled and the application is run, a text log is created. The trace entries include parameters such as the connect string and, in the case of some drivers, userIDs and passwords for server authentication. This is where concerns arise about the security of call tracing. You may have read in the computer press that a security hole existed in ODBC 3.0--well, this is it. If a malicious user were to have access to a machine and be able to enable call tracing on said machine, then wait for a legitimate user to log on, they could theoretically gain access to the userIDs and passwords for that legitimate user in the tracing log. This also assumes that the legitimate user does not notice the enormous drop in the application's performance as it is attempting to write what can be a very large trace log. Of course if the userID and the password were encrypted by the application before making the ODBC call then there wouldn't be any security risk and the overall security of the application would be increased. Microsoft also encourages programmers to prevent tracing in their applications: "Applications should prevent tracing of any sensitive commands by setting the connection attribute SQL_ATTR_TRACE to SQL_OPT_TRACE_OFF, and then re-enable tracing by setting SQL_ATTR_TRACE to SQL_OPT_TRACE_ON afterwards. Tracing can be completely disabled by leaving SQL_ATTR_TRACE off." Read more about Microsoft's feelings about the security of ODBC and numerous other ways to prevent call tracing from being exploited in this white paper: http://www.microsoft.com/data/odbc/wpapers/odbcsecurity.htm. ABOUT THE AUTHOR: Benjamin Vigil is a technical editor for Techtarget.com. MORE ON THIS TOPIC: The Best ODBC Links: http://searchdatabase.techtarget.com/bestWebLinks/0,289521,sid13_tax285203,00.html Have an ODBC tip to offer your fellow developers? The best tips submitted will receive a cool prize! http://searchdatabase.techtarget.com/tipsSubmit/1,289485,sid13,00.html Ask your ODBC questions--or help out your peers by answering them--in our live discussion forums: http://searchdatabase.techtarget.com/forums/0,289802,sid13_fid1,00.html Our Ask the Experts feature includes Database Design, SQL, Oracle, DB2, and SQL Server gurus waiting to answer your toughest technical questions: http://searchdatabase.techtarget.com/ateExperts/0,289622,sid13,00.html ================================================ SUBMIT A TECHNICAL TIP AND WIN A PRIZE! ================================================ Do you have a time-saving shortcut, trick, or script that you want to share with other database pros? The first fifty individuals who submit a tip will receive a free searchDatabase.com hat. The highest rated tips each month will win our "Tip of the Month" contest and receive a high-quality searchDatabase.com denim shirt AND a free book of your choice from Wrox Press. We're accepting short, focused tips or code snippets on topics of interest to DBA's and database developers, such as Oracle, DB2, SQL Server, database design, SQL, performance tuning, etc. Click here for more info and to submit your tip: http://searchdatabase.techtarget.com/tipsPrize/0,289492,sid13_prz520733_cts520732,00.html This will be a great way to share your knowledge, cement your status as an industry expert, and maybe win a prize. Send us your tip today! ******* Sponsored by Postmaster Direct ********* Get free offers from reputable merchants for products that you are interested in. Pick from over 50 categories of interest, modify your profile at any time to suit your needs, and receive only the email that interests you when you subscribe today. Just click on the link below and get your account up and running: http://searchdatabase.techtarget.com/postmasterDirect/1,289639,sid13,00.html ************************************************ If you no longer wish to receive this newsletter simply reply to this message with "REMOVE" in the subject line. Or, visit http://searchDatabase.techtarget.com/register and adjust your subscriptions accordingly. If you choose to unsubscribe using our automated processing, you must send the "REMOVE" request from the email account to which this newsletter was delivered. Please allow 24 hours for your "REMOVE" request to be processed.
