This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Choose Language Hide Translation Bar
jay_holavarri
jay_holavarri
Level III

Hiding a Variable from the Log with Underscores ... Almost Works

Oct 31, 2023 02:01 PM (833 views)

At the recent JMP Summit I was asking developers about how I could hide a variable that contained credentials to a database. My current solution is 80% of the way there. I set the credentials in a variable in an encrypted script, then I Include() that script and use the variable in a script that connects to the database. Anyone who opens the main script can see the credentials by going to the log file and looking up the variable. The JSL developers were in demand at the Summit and other people I talked to weren't sure how to hide a variable.

 

Then I saw this: Encryption and Global Variables (jmp.com)

If you just put two underscores before a variable it will hide them ... almost. If you try Show ( __myVar), Print ( __myVar), or Write ( __myVar), the result will be blank. Great! But then I found if you just type __myVar directly into the log, the log defines it for you. That's actually one of the easiest ways to show the variable...

 

Seems like an un-intended loophole. The double underscore stops all those script methods and if you hover over the variable name in the script it won't show the contents. But there's this real obvious way to show the contents just by entering the variable directly.

 

I have good reasons for not wanting to encrypt the main script, only the connection string. Not sure if this is a Wishlist item or if I am missing something.

0 Kudos
2 ACCEPTED SOLUTIONS

Accepted Solutions
pmroz
Super User pmroz
Super User
Solution

Re: Hiding a Variable from the Log with Underscores ... Almost Works

Oct 31, 2023 03:12 PM (821 views)  |  Posted in reply to message from jthi 10-31-2023

If you look at my "JMP and Oracle ..." talk mentioned above this is what I do:

  • Create an encrypted function that returns the database connection.

Here's the tail end of the function:

	my_dbc = create database connection(dsn_string);
// Return the connection to Oracle
	my_dbc;

View solution in original post

jay_holavarri
jay_holavarri
Level III
Solution

Re: Hiding a Variable from the Log with Underscores ... Almost Works

Oct 31, 2023 07:11 PM (810 views)  |  Posted in reply to message from jay_holavarri 10-31-2023

Actually, it gets me 100% of the way there. It occured to me that the Include would only show the last thing it did in the log. I added a Print("This is the last thing") and now I can't see the function definition.

 

Thanks!

View solution in original post

6 REPLIES 6
jthi
Super User jthi
Super User

Re: Hiding a Variable from the Log with Underscores ... Almost Works

Created: Oct 31, 2023 02:40 PM  |  Last Modified: Nov 1, 2023 02:22 AM (825 views)  |  Posted in reply to message from jay_holavarri 10-31-2023

I think you have to either:

  • create encrypted function to perform the query which contains the connection string inside the function (never return those)
  • create encrypted function which opens the database connection (cannot use New SQL Query() if you use this which is the preferred method in JMP to perform data queries)
  • Use something like Windows credential manager

JMP scripts embed DSN parameters; why?? 

How to handle user password information in JSL ( ODBC connection strings ) 

JMP and Oracle: Tips and Tricks for a Happy Marriage (2022-US-30MP-1093) 

-Jarmo
pmroz
Super User pmroz
Super User
Solution

Re: Hiding a Variable from the Log with Underscores ... Almost Works

Oct 31, 2023 03:12 PM (822 views)  |  Posted in reply to message from jthi 10-31-2023

If you look at my "JMP and Oracle ..." talk mentioned above this is what I do:

  • Create an encrypted function that returns the database connection.

Here's the tail end of the function:

	my_dbc = create database connection(dsn_string);
// Return the connection to Oracle
	my_dbc;
jay_holavarri
jay_holavarri
Level III

Re: Hiding a Variable from the Log with Underscores ... Almost Works

Oct 31, 2023 07:09 PM (810 views)  |  Posted in reply to message from pmroz 10-31-2023

Thank you! I think this gets me 99% of the way there. It solves the variable problem nicely. The 1% is that I can see the credentials when the Include() command is run. Anyone looking at the script can see something like Include(db_credentials), run that line, and look in the log file.

 

For me it looks like this:

Include("DSN encrypted function.jsl");


//Log file shows:
//:*/
Include("DSN encrypted function.jsl");
/*:
Function( {},
	{Default Local},
	dsn_string = "DSN=myDSN;UID=" || "uname" || ";PWD=" || "pwd" || ";";
	my_dbc = Create Database Connection( dsn_string );
	my_dbc;
)

It also doesn't address the part of my question about the two underscore technique. Why have it if it only partially obscures variables? Is it for security or some other purpose?

0 Kudos
jay_holavarri
jay_holavarri
Level III
Solution

Re: Hiding a Variable from the Log with Underscores ... Almost Works

Oct 31, 2023 07:11 PM (811 views)  |  Posted in reply to message from jay_holavarri 10-31-2023

Actually, it gets me 100% of the way there. It occured to me that the Include would only show the last thing it did in the log. I added a Print("This is the last thing") and now I can't see the function definition.

 

Thanks!

mmarchandTSI
mmarchandTSI
Level V

Re: Hiding a Variable from the Log with Underscores ... Almost Works

Oct 31, 2023 05:34 PM (814 views)  |  Posted in reply to message from jay_holavarri 10-31-2023

Apparently, you can also see all the "hidden" variables in the debugger.

 

mmarchandTSI_0-1698788032762.png

 

mmarchandTSI
mmarchandTSI
Level V

Re: Hiding a Variable from the Log with Underscores ... Almost Works

Nov 1, 2023 09:09 AM (766 views)  |  Posted in reply to message from mmarchandTSI 10-31-2023

I've been redefining sensitive variables as Empty() after I use them so, even if someone gets the variable names, they won't contain any information.