I use the following to set up my connection string to DB2:

Set objConn = Server.CreateObject("ADODB.Connection")
Connstr = "Provider=ibmdadb2; DSN=DbName; UID=hardcoded; PWD=hardcoded"
objConn.Open Connstr


This works only if UID and PWD are hardcoded which seems like a security violation to me. Anyone who gets access to this code would then be able to connect to DB2 using the suppled ID/PWD.

How can I prevent this and/or hide the UID and PWD? More to the point - What is the most common or preferred method to accomplish this?

Code is being used to allow users access to specific data from db via an internal website which is menu driven.

I've run into this problem too. I resolved it by passing the connection string to the script with an encrypted password. The script looks for the 'password=' text and decrypts the text following it. The string with the decrypted password would be sent to the DB, but never seen by anyone snooping around. If you're looking for a simple encryption method you could use a bar delimited ordinal string. Each character would be replaced by its position in the collating sequence. Using this method "password=97|49|98|50|" would be passed to the DB as "password=a1b2".

Not sure how I can make that work. I have ASP scripts that access the dB and the userID and PWD are coded in these scripts. Scripts were created via NotePad and I don't see how I can encrypt anything with the current tools available.

To address this for the time being, I created a local user and gave that user SELECT rights only from within DB2. This should allow me to pass an audit for the time being.