docs.progress.com
Open in
urlscan Pro
52.0.167.40
Public Scan
Submitted URL: https://docs.progress.com/bundle/datadirect-odbc-reference/page/Security-best-practices-for-ODBC-applications.html
Effective URL: https://docs.progress.com/de-DE/bundle/datadirect-odbc-reference/page/Security-best-practices-for-ODBC-applications.html
Submission: On June 08 via api from IE — Scanned from DE
Effective URL: https://docs.progress.com/de-DE/bundle/datadirect-odbc-reference/page/Security-best-practices-for-ODBC-applications.html
Submission: On June 08 via api from IE — Scanned from DE
Form analysis 2 forms found in the DOM
<form autocomplete="off" class="search_box search_box--sm">
<div class="input-group">
<div class="dropdown bootstrap-select select-products"><select class="select-products" data-live-search="true" name="products-names" id="select-products" tabindex="-98">
<option value="">All Products</option>
<option value="product_openedge">OpenEdge</option>
<option value="product_openedge_117" class="neatedFilterOption">Version 11.7</option>
<option value="product_openedge_122" class="neatedFilterOption">Version 12.2</option>
<option value="product_openedge_127" class="neatedFilterOption">Version 12.7</option>
<option value="product_openedge_command_center">OpenEdge Command Center</option>
<option value="product_openedge_command_center_12" class="neatedFilterOption">Version 1.2</option>
<option value="product_openedge_devops_framework">OpenEdge DevOps Framework</option>
<option value="product_openedge_devops_framework_22" class="neatedFilterOption">Version 2.2</option>
<option value="product_openedge_pro2">OpenEdge Pro2</option>
<option value="product_openedge_pro2_64" class="neatedFilterOption">Version 6.4</option>
<option value="product_corticon">Corticon</option>
<option value="product_corticon_61" class="neatedFilterOption">Version 6.1</option>
<option value="product_corticon_63" class="neatedFilterOption">Version 6.3</option>
<option value="product_corticonjs">Corticon.js</option>
<option value="product_corticonjs_20" class="neatedFilterOption">Version 2.0</option>
<option value="product_datadirect">DataDirect Connectors</option>
<option value="product_datadirect_jdbc" class="neatedFilterOption">JDBC</option>
<option value="product_datadirect_odbc" class="neatedFilterOption">ODBC</option>
<option value="product_ado.net" class="neatedFilterOption">ADO.NET</option>
<option value="product_hdp">Hybrid Data Pipeline</option>
<option value="product_openaccess">OpenAccess SDK</option>
<option value="product_moveit_transfer">MOVEit Transfer</option>
<option value="product_moveit_transfer_2022" class="neatedFilterOption">Version 2022</option>
<option value="product_moveit_transfer_2023" class="neatedFilterOption">Version 2023</option>
<option value="product_moveit_automation">MOVEit Automation</option>
<option value="product_moveit_automation_2022" class="neatedFilterOption">Version 2022</option>
<option value="product_moveit_automation_2023" class="neatedFilterOption">Version 2023</option>
<option value="product_moveit_gateway">MOVEit Gateway</option>
<option value="product_moveit_gateway_2022" class="neatedFilterOption">Version 2022</option>
</select><button type="button" class="btn dropdown-toggle" data-toggle="dropdown" role="combobox" aria-owns="bs-select-1" aria-haspopup="listbox" aria-expanded="false" data-id="select-products" title="All Products">
<div class="filter-option">
<div class="filter-option-inner">
<div class="filter-option-inner-inner">All Products</div>
</div>
</div>
</button>
<div class="dropdown-menu ">
<div class="inner show" role="listbox" id="bs-select-1" tabindex="-1">
<ul class="dropdown-menu inner show" role="presentation"></ul>
</div>
</div>
</div>
<div class="progressSearchBox_current_publication__E07eB">
<div>Current publication<span>X</span></div>
</div><input id="search" class="search_inputform-control progressSearchBox_with_publication__2ykQ_" placeholder="Search" type="text" value="">
<div class="input-group-append submit-search zDocsSearchBox"><button><span class="ico"><svg class="ico-search">
<use xlink:href="#ico-search"></use>
</svg></span></button></div>
</div>
</form><form>
<div class="form-group"><textarea class="form-control" rows="5" required="" placeholder="How can we improve this topic?"></textarea></div>
<div class="form-group"><input type="email" class="form-control" required="" placeholder="Provide your e-mail" value=""></div><button type="submit" class="btn btn-primary float-md-right zDocsFeedbackSubmitButton">SEND FEEDBACK</button>
</form>Text Content
Progress
Products
Digital Experience
SITEFINITY
NATIVECHAT
CORTICON
MOVEIT
WS_FTP
Infrastructure Management & Operations
KEMP LOADMASTER
FLOWMON
WHATSUP GOLD
DevOps
CHEF
UI/UX Tools
KENDO UI
TELERIK
TEST STUDIO
FIDDLER EVERYWHERE
Secure Data Connectivity & Integration
DATADIRECT
Secure File Transfer
MOVEIT
WS_FTP
Mission-Critical App Platform
OPENEDGE
View All Products
Services
By Product
By Type
On-Demand TrainingInstructor-Led TrainingConsulting & Outsourcing
Support
SupportOverviewCustomer PortalDownload CenterSupport GuideCommunity
Resources
DocumentationKnowledge BaseVideosWebinarsWhitepapersSuccess StoriesBlogsFAQs
Partners
Partner OverviewPartner PortalWhy PartnerBecome a PartnerFind a Partner
Company
About ProgressCompany OverviewLeadershipCorporate DevelopmentCorporate Social
ResponsibilityCareersOfficesCustomers
News & Info
BlogsInvestor RelationsPress ReleasesPress CoverageRecognitionsEvents
Search
Site searchSearch
Login
Login
--------------------------------------------------------------------------------
SupportLinkPartnerLinkTelerik Your Account
1-800-477-6473 Ready to Talk?
1-800-477-6473Search
Site searchGO
Progress DocumentationProgress DataDirect for ODBC Drivers Reference May
2023...Security best practices for ODBC applications
SECURITY BEST PRACTICES FOR ODBC APPLICATIONS
All ProductsOpenEdgeVersion 11.7Version 12.2Version 12.7OpenEdge Command
CenterVersion 1.2OpenEdge DevOps FrameworkVersion 2.2OpenEdge Pro2Version
6.4CorticonVersion 6.1Version 6.3Corticon.jsVersion 2.0DataDirect
ConnectorsJDBCODBCADO.NETHybrid Data PipelineOpenAccess SDKMOVEit
TransferVersion 2022Version 2023MOVEit AutomationVersion 2022Version 2023MOVEit
GatewayVersion 2022
All Products
Current publicationX
CONTENT
* Welcome to the Progress DataDirect for ODBC Drivers Reference
* What is ODBC?
* How does it work?
* Why do application developers need ODBC?
* Troubleshooting
* Diagnostic tools
* ODBC trace
* Creating a trace Log
* Enabling tracing
* Windows ODBC Administrator
* System information (odbc.ini) file
* Configuration Manager Portal trace
* Test loading tool
* ODBC Test
* Logging for Java components
* Loggers and logging levels
* Driver to SQL communication logger
* SQL engine logger
* Wire protocol adapter logger
* Configuring logging
* Using the JVM
* Using the driver
* The demoodbc Application
* The example application
* Enabling debug record mode
* Other tools
* Error messages
* Troubleshooting issues
* Setup/connection issues
* Troubleshooting the issue
* Interoperability issues
* Troubleshooting the issue
* Performance issues
* Failover
* Connection failover
* Extended connection failover
* Select connection failover
* Guidelines for primary and alternate servers
* Using client load balancing
* Using connection retry
* Summary of failover-related options
* A connection string example
* An odbc.ini file example
* Client information
* How databases store client information
* Storing client information
* Code page values
* IANAAppCodePage values
* IBM to IANA code page values
* Teradata code page values
* ODBC API and scalar functions
* API functions
* Scalar functions
* String functions
* Numeric functions
* Date and time functions
* System functions
* Internationalization, localization, and Unicode
* Internationalization and Localization
* Locale
* Language
* Country
* Variant
* Unicode character encoding
* Background
* Unicode support in databases
* Unicode support in ODBC
* Unicode and non-Unicode ODBC drivers
* Function calls
* Unicode application with a non-Unicode driver
* Unicode application with a Unicode driver
* Data
* Unicode driver
* ANSI driver
* Default Unicode mapping
* Connection attribute for Unicode
* Driver Manager and Unicode encoding on UNIX/Linux
* References
* Character encoding in the odbc.ini and odbcinst.ini files
* Designing ODBC applications for performance optimization
* Using catalog functions
* Caching information to minimize the use of catalog functions
* Avoiding search patterns
* Using a dummy query to determine table characteristics
* Retrieving data
* Retrieving long data
* Reducing the size of data retrieved
* Using bound columns
* Using SQLExtendedFetch instead of SQLFetch
* Choosing the right data type
* Selecting ODBC functions
* Using SQLPrepare/SQLExecute and SQLExecDirect
* Using arrays of parameters
* Using the cursor library
* Managing connections and updates
* Managing connections
* Managing commits in transactions
* Choosing the right transaction model
* Using positioned updates and deletes
* Using SQLSpecialColumns
* Security best practices for ODBC applications
* Using indexes
* Introduction
* Improving row selection performance
* Indexing multiple fields
* Deciding which indexes to create
* Improving join performance
* Locking and isolation levels
* Locking
* Isolation levels
* Locking modes and levels
* SSL encryption cipher suites
* DataDirect Bulk Load
* DataDirect Bulk Load functions
* Utility functions
* GetBulkDiagRec and GetBulkDiagRecW
* Export, validate, and load functions
* ExportTableToFile and ExportTableToFileW
* ValidateTableFromFile and ValidateTableFromFileW
* LoadTableFromFile and LoadTableFromFileW
* Using the TableName parameter with the Salesforce driver
* SetBulkOperation (Salesforce driver only)
* GetBulkOperation (Salesforce driver only)
* DataDirect Bulk Load statement attributes
* SQL_BULK_EXPORT_PARAMS
* SQL_BULK_EXPORT
* DataDirect connection pooling
* Creating a connection pool
* Adding connections to a pool
* Removing connections from a pool
* Handling dead connections in a pool
* Connection pool statistics
* Summary of pooling-related options
* Threading
* WorkAround options
* Copyright
Updated Mai 26, 2023
SECURITY BEST PRACTICES FOR ODBC APPLICATIONS
When developing and deploying an ODBC application, there are a number of
security considerations to keep in mind. To help protect your data and
environments, we recommend employing the following security best practices when
using the driver with your application.
SECURING THE CONNECTION STRING
If your application allows end users to configure the ODBC connection, it is
important to ensure that thought has been given to secure that configuration.
The settings of connection options can impact the security of a solution
utilizing an ODBC driver. It is important to have protections in place to
restrict which connection options a user can set as well as validating the
values supplied.
CONNECTION OPTION WHITELISTS
You should limit which connection options users can set by employing a whitelist
within the ODBC application. The list of supported connection options for a
driver should be reviewed to assemble the whitelist. For a list of supported
connection options, refer to the "Connection option descriptions" section in the
user's guide for your driver.
VALIDATING CONNECTION OPTION VALUES TO PREVENT INJECTION
Connection option values need to be validated to prevent the user from
specifying additional connection options. For instance, an application that
performs no validation may accept the following value for the HostName option:
192.168.1.123;encryptionMethod=0
In this case, in addition to specifying the host, the user also set the
connection option to disable encryption. Note that ODBC connection string builds
are available in some languages and often protect against such attacks. The
complete syntax of the connection string can be found under the SQLDriverConnect
function description in the ODBC API.
DEPLOYMENT SPECIFIC VALIDATION OF CONNECTION OPTION VALUES
After creating and implementing a whitelist of connection options that can be
set by the user, thought needs to be given to additional validation of the
values for those options. For instance, the connect option TrustStore accepts a
file path; therefore, you may need to add validation to ensure the specified
path aligns with the expectations appropriate for your application and
deployment.
Previous topicNext topic
Content
* Download PDF
Selected topicSelected topic and subtopicsEntire publication
* Share
* Send feedback
Previous topicNext topic
Was this topic helpful?
SHARE
×
×
PROVIDE FEEDBACK FOR THIS TOPIC
SEND FEEDBACK
Copyright © 2023 Progress Software Corporation and/or its subsidiaries or
affiliates.
All Rights Reserved.
Progress, Telerik, Ipswitch, Chef, Kemp, Flowmon and certain product names used
herein are trademarks or registered trademarks of Progress Software Corporation
and/or one of its subsidiaries or affiliates in the U.S. and/or other countries.
Any other trademarks contained herein are the property of their respective
owners. See Trademarks for appropriate markings.
Terms of UsePrivacy CenterSecurity CenterTrademarksLicense AgreementsCode of
ConductCareersOffices
Do Not Sell My Personal Information