Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
SYSTEM MAINTENANCE: Thurs., Sept. 19, 1 AM ET, Platform will be unavailable for approx. 60 minutes.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
pljsoftware
Creator III
Creator III
‎2011-12-06 11:26 AM

QVD files store connection string in plain text!

Hi all!

I have noticed a very strange thing using QVD files... Inside the file, I can read in plain text my QlikView script, including the connection string with password!

How it can be possible?

31,840 Views
66 Replies
pljsoftware
Creator III
Creator III
‎2011-12-09 06:48 AM
Author

Hi there,

I use QV 10 SR3, and when I open QVD file I found all my script and the password in plain text.

A few days ago I installed the version  QV 11 RC and after I removed it and reinstalled QV 10 SR3, can this make me this problem?

Regards

Luca Jonathan Panetta

PLJ Software

758 Views
0 Likes
Not applicable
‎2011-12-09 10:11 AM

In response to pljsoftware

I just tried it and I am speechless. I cannot believe such a disaster, this is very serious, I hope QT comes with a patch right away.

Nice discovery Luca.

Regards

758 Views
0 Likes
isaiah82
Creator III
Creator III
‎2011-12-09 10:33 AM

In every headache there is a blessing ~ I just used this to get back some "lost" credentials from a scrambled connection string that were never documented.  For clarification, if there cred's are scrambled in your script, they are stored unscrambled in the qvd header.

One more reason not to keep fighting integrated authentication I suppose 😃

758 Views
0 Likes
rbecher
MVP
MVP
‎2011-12-09 10:46 AM

In response to isaiah82

Thanks, good to know!

I found also an unscrambled password (was scrambled in the script) at the end of the QVW created with QV10 SR3 in the xml metadata part:

<LineageInfo>

  <Discriminator>...

This is an unbelievable risky major bug!

- Ralf

Astrato.io Head of R&D
758 Views
0 Likes
Anonymous
Not applicable
‎2011-12-09 12:19 PM

Wow!   We have the same issue in QV10SR3.  This doesn't thrill our SA's at all.  Good thing our QVD's are locked down.

We had a good chuckle from Isiah Weed's post.   Always a positive somewhere!!!!

758 Views
0 Likes
rbecher
MVP
MVP
‎2011-12-11 11:16 AM

In response to Anonymous

This seems to be fixed in QV10 SR4. I cannot reproduce it.

- Ralf

Astrato.io Head of R&D
758 Views
0 Likes
pljsoftware
Creator III
Creator III
‎2011-12-12 05:18 AM
Author

In response to rbecher

Sorry Ralf,

I have try my test file with QV 10 SR4 9274 but the problem subsist.

I tried it with QV 9 SR7 7778 and it's all ok.

My script is:

OLEDB CONNECT TO .... //Connection String

CustomerSellers:

LOAD *;

SQL SELECT top 1          c.CardCode FROM OCRD c;

 

DISCONNECT;

 

X:

load * Inline

[x,y

1,2];

 

STORE * from X into X.qvd;

EXIT Script;

Regards

Luca Jonathan Panetta

PLJ Software

758 Views
0 Likes
rbecher
MVP
MVP
‎2011-12-12 06:06 AM

In response to pljsoftware

I created a new QVW which stores some QVD files with QV10 SR4. It still stores the connect string but without the password.

So, I think this is not a problem anymore but of course maybe with old files ..

- Ralf

Astrato.io Head of R&D
758 Views
0 Likes
pljsoftware
Creator III
Creator III
‎2011-12-12 06:38 AM
Author

In response to rbecher

Ok Ralf,

I tried too and the Password there isn't but why I have my script and my connection string in a QVD if I want only to save the data of my table?

In QV 9 SR7 7778 I have only my data.

I wrote to the support too.

Regards

Luca Jonathan Panetta

PLJ Software

758 Views
0 Likes
Clever_Anjos
Employee
Employee
‎2011-12-12 08:17 AM

It´s a knowed bug in 10SR2 and 10SR3

Fixed on 10SR4

758 Views
0 Likes