Message-ID: <gh-postgresql-interfaces-psqlodbc-184-rc3317616547@github.com>
From: "davecramer (@davecramer)" <noreply+davecramer@github.com>
To: "postgresql-interfaces/psqlodbc" <noreply+postgresql-interfaces-psqlodbc@github.com>
Date: Thu, 28 May 2026 12:05:22 +0000
Subject: Re: [postgresql-interfaces/psqlodbc] PR #184: Redact sensitive connection parameters in logs
In-Reply-To: <gh-postgresql-interfaces-psqlodbc-184@github.com>
References: <gh-postgresql-interfaces-psqlodbc-184@github.com>
List-Id: <gh-postgresql-interfaces-psqlodbc.github.com>
X-GitHub-Author-Login: davecramer
X-GitHub-Comment-Id: 3317616547
X-GitHub-Comment-Type: review_comment
X-GitHub-Commit: a8dae8f57158fddac3bf6757ca409718cf8a05a0
X-GitHub-Issue: 184
X-GitHub-Line: 2930
X-GitHub-Path: connection.c
X-GitHub-Repo: postgresql-interfaces/psqlodbc
X-GitHub-Type: review_comment
X-GitHub-Url: https://github.com/postgresql-interfaces/psqlodbc/pull/184#discussion_r3317616547
Content-Type: text/plain; charset=utf-8

(on connection.c:2930)

This unconditionally redacts the entire `pqopt` string. Unlike the per-keyword redaction below (which preserves non-sensitive params), this loses all diagnostic value. A connection string like `host=db.example.com sslmode=verify-full password=secret` becomes just `xxxxx`, hiding the host and sslmode that are useful for debugging.

Consider either:
1. Logging a placeholder that preserves some info: `"<contains %d chars, redacted>"` 
2. Or simply noting that sensitive params will be visible in the parsed form below and logging the raw string as-is here (since the parsed form below already redacts properly).

The current approach is safe but trades too much diagnostics for safety when the parsed log line right below already handles it correctly.