Server Related Questions - Is my ODBC password safe?

If you want to access a database that is located on a web site, you have to have a password. So, it is important not to show the password to anyone. Encrypting the password would give you a false sense of security since the web server software is open-source, someone on the web site development team could read an encrypted password with a small amount of effort. That's why EZSurvey doesn't encrypt the passwords on the screen. You should be worried about someone hacking into your computer to get passwords not somebody looking over your shoulder while you are working.

There are a few options for increasing the security of your ODBC password:

1. Don't show other people the EZF file, if it contains a password. You could put it in a password-protected area on your computer's hard drive.

2. Don't store the password in the EZF file. Set up the ODBC data source so that it automatically logs in with a user name and password. Then, the name and password are stored in the Windows system, and will be harder to find.

And, for when the direct connection software is finished:

3. You always want to be careful when connecting a web server to your company's database. In case of a direct ODBC connection, you should create a new user account for the database with very limited permissions, so that if someone does find the password (which we will probably store in the registry on the server) or hack into the server, they won't be able to execute a "DROP * FROM TABLE" command. The web server should only need to execute SELECT, INSERT, and UPDATE commands that affect a single row at a time.

Make sure you setup security on the web site correctly. Make sure that nobody can read the CGI.INI file in the scripts directory, and remove EZSurvey's remote site administration program (DBADMIN.EXE) if necessary..