As the first step in the decommissioning of sasCommunity.org the site has been converted to read-only mode.


Here are some tips for How to share your SAS knowledge with your professional network.


Talk:Secret Sequel: Keeping Your Password Away from the LOG

From sasCommunity
Jump to: navigation, search

Problem with SYMGET in the CONNECT Statement

The %SECRETSQL code in this paper was tested under Windows and ODBC. Other users have reported problems with the SYMGET not being executed in the connect statement when connecting to other data bases, such as TERADATA. We believe that this is a timing issue and suspect that wrapping each SYMGET in a %SYSFUNC will fix the problem:

   connect to odbc(dsn=%sysfunc(symget('dd')) uid=%sysfunc(symget('uu')) pwd=%sysfunc(symget('pp')));

An alternative to the use of the %SYSFUNC(SYMGET function combination is through the use of the %SUPERQ function. The code becomes:

   connect to odbc(dsn=%superq(dd) uid=%superq(uu) pwd=%superq(pp));

If you have access to data bases such as ORACLE or TERADATA and can tryout this solution, please add a comment here.--Art Carpenter 20:51, 11 April 2009 (UTC)

delegate insecurity

surely this model depends on a plain text pw in the calling environment. Is that likely to be any more secure?

We placed the passwords in an encrypted and password protected data set. This data set is then accessed to obtain the data base passwords via macro variables. The password data set's password can be supplied by an interactive prompt. Also the %SECRETSQL macro itself need not be surfaced (it could even be a stored compiled and encrypted macro). --Art Carpenter (talk) 22:33, 8 May 2014 (CDT)

That makes sense but my concern starts at %sysget(pp) as I assumed that requires pp in a plain text environment variable. --peterC (talk) 05:23, 9 May 2014 (CDT)

just fallen in! SYMGET not SYSGET . . . it IS a good plan --peterC (talk) 05:31, 9 May 2014 (CDT)
The advantage of the SYMGET and %SUPERQ functions is that neither will surface the value of the macro variable in the LOG - even if SYMBOLGEN is turned on.--Art Carpenter (talk) 09:13, 9 May 2014 (CDT)