Posted by: Jason Veniot
G'day
Say some malicious program, running unbeknownst to me on my computer, scans
for password fields in new forms/dialogs. Then say I run my
SQLWindows-compiled app that first pops up a login dialog to connect to our
database.
Here's a snippet of the code necessary for an external application to gain
unauthorized access to a password datafield:
PostMessage( hWnd_Victim, EM_SETPASSWORDCHAR, 0, 0 )
PostMessage( hWnd_Victim, EM_SETSEL, 0, -1 )
PostMessage( hWnd_Victim, WM_COPY, 0, 0 )
PostMessage( hWnd_Victim, EM_SETPASSWORDCHAR, '*', 0 )
PostMessage( hWnd_Victim, EM_SETSEL, 0, 0 )
GrabPassword() ! Function to grab data from clipboard and store it
I think it would be nice if the "hidden" property provided default behaviour
that would prevent this from happening.
At the very least, this security risk, and a solution to it, should be
detailed in the SQLWindows on-line documentation. The following code will
fix the problem for a password field (thanks to Jeff Luther)
Data Field: dfsPassword
Message Actions
On EM_SETPASSWORDCHAR
Return FALSE
On WM_COPY
Return FALSE
On EM_SETSEL
Return FALSE
: