Solved: Re: Hiding a Variable from the Log with Underscores ... Almost Works

Report Inappropriate Content · Oct 31, 2023 02:01 PM

At the recent JMP Summit I was asking developers about how I could hide a variable that contained credentials to a database. My current solution is 80% of the way there. I set the credentials in a variable in an encrypted script, then I Include() that script and use the variable in a script that connects to the database. Anyone who opens the main script can see the credentials by going to the log file and looking up the variable. The JSL developers were in demand at the Summit and other people I talked to weren't sure how to hide a variable.

Then I saw this: Encryption and Global Variables (jmp.com)

If you just put two underscores before a variable it will hide them ... almost. If you try Show ( __myVar), Print ( __myVar), or Write ( __myVar), the result will be blank. Great! But then I found if you just type __myVar directly into the log, the log defines it for you. That's actually one of the easiest ways to show the variable...

Seems like an un-intended loophole. The double underscore stops all those script methods and if you hover over the variable name in the script it won't show the contents. But there's this real obvious way to show the contents just by entering the variable directly.

I have good reasons for not wanting to encrypt the main script, only the connection string. Not sure if this is a Wishlist item or if I am missing something.

pmroz · Oct 31, 2023 03:12 PM

If you look at my "JMP and Oracle ..." talk mentioned above this is what I do:

Create an encrypted function that returns the database connection.

Here's the tail end of the function:

	my_dbc = create database connection(dsn_string);
// Return the connection to Oracle
	my_dbc;

View solution in original post

jay_holavarri · Oct 31, 2023 07:11 PM

Actually, it gets me 100% of the way there. It occured to me that the Include would only show the last thing it did in the log. I added a Print("This is the last thing") and now I can't see the function definition.

Thanks!

View solution in original post

jthi · Oct 31, 2023 02:40 PM

I think you have to either:

create encrypted function to perform the query which contains the connection string inside the function (never return those)
create encrypted function which opens the database connection (cannot use New SQL Query() if you use this which is the preferred method in JMP to perform data queries)
Use something like Windows credential manager

JMP scripts embed DSN parameters; why??

How to handle user password information in JSL ( ODBC connection strings )

-Jarmo

pmroz · Oct 31, 2023 03:12 PM

If you look at my "JMP and Oracle ..." talk mentioned above this is what I do:

Create an encrypted function that returns the database connection.

Here's the tail end of the function:

	my_dbc = create database connection(dsn_string);
// Return the connection to Oracle
	my_dbc;

jay_holavarri · Oct 31, 2023 07:09 PM

Thank you! I think this gets me 99% of the way there. It solves the variable problem nicely. The 1% is that I can see the credentials when the Include() command is run. Anyone looking at the script can see something like Include(db_credentials), run that line, and look in the log file.

For me it looks like this:

Include("DSN encrypted function.jsl");


//Log file shows:
//:*/
Include("DSN encrypted function.jsl");
/*:
Function( {},
	{Default Local},
	dsn_string = "DSN=myDSN;UID=" || "uname" || ";PWD=" || "pwd" || ";";
	my_dbc = Create Database Connection( dsn_string );
	my_dbc;
)

It also doesn't address the part of my question about the two underscore technique. Why have it if it only partially obscures variables? Is it for security or some other purpose?

jay_holavarri · Oct 31, 2023 07:11 PM

Actually, it gets me 100% of the way there. It occured to me that the Include would only show the last thing it did in the log. I added a Print("This is the last thing") and now I can't see the function definition.

Thanks!

mmarchandTSI · Oct 31, 2023 05:34 PM

Apparently, you can also see all the "hidden" variables in the debugger.

mmarchandTSI · Nov 1, 2023 09:09 AM

I've been redefining sensitive variables as Empty() after I use them so, even if someone gets the variable names, they won't contain any information.

hogi · Sep 20, 2024 10:27 AM

Names default to here(1);
__Hello=1;
Show(__Hello);
Show(Char(__Hello));



new namespace("__Test");
__Test:Hello=1;
Show(__Test);
Show namespaces();