Encrypt stored procedure

Hi,
How I can ENcrypt stored procedure in oracle?
Thanks.

One caveat that the documentation doesn't emphasize nearly strongly enough IMHO is the fact that there is no way to unwrap wrapped code, so you have to make sure that everything is in external source control.
Justin
Distributed Database Consulting, Inc.
http://www.ddbcinc.com/askDDBC

Similar Messages

Get error message from a nested/encrypted stored procedure

Hi,
I have an encrypted procedure, that is used inside my 'own' complex procedure as:
Begin try
Begin tran
Do a lot
insert into #tmp exec xp_encryptedSP
Do a lot more
commit tran
end try
begin catch
print ERROR_MESSAGE()
rollback tran
end catch
Some error occur on the insert into #tmp exec xp_encryptedSP row, and in this case it's correct that the error occur, but:
If I run only exec xp_encryptedSP in query analyzer, I can see the root cause error message,
but in my complex procedure all I get is:
Cannot use the ROLLBACK statement within an INSERT-EXEC statement.
I have tried to enclose the insert into #tmp exec xp_encryptedSP in an own try block, but all I get is the message above.
Please help
/Magnus
Magnus Burk

No, the error message has nothing to do with the fact that the procedure obfuscated. It is a limitation of INSERT-EXEC. A quite silly one, since a consequence of the error is that the transaction is rolled back...
There are better ways to share data between stored procedures, but most of them assumes that you can change the procedure you call, and obviously this is not possible since this is a vendor procedure.
So it looks like you are in for heavy artillery, that is the CLR. See here for an example:
http://www.sommarskog.se/share_data.html#CLR
I should warn you in advance that error handling when the CLR is involved is also a very difficult thing.
Erland Sommarskog, SQL Server MVP, [email protected]

PowerShell - scripting - skip Encrypted\CLR Stored Procedures

Hi all,
Forgot where I got the code below from but, how would I skip Encrypted\CLR procedures because, I get error below...
Message
Executed as user: Loginname A job step received an error at line 81 in a PowerShell script. The corresponding line is '
$MyScripter.Script($proc)|out-null'. Correct the script and reschedule the job. The error information returned by PowerShell is: 'Exception calling "Script" with "1" argument(s): "The StoredProcedure '[dbo].[myrpocname]'
cannot be scripted as its data is not accessible." '. Process Exit Code -1. The step failed.
#STORED PROCEDURES
if($procs -ne $null)
foreach ($proc in $procs)
#Assuming that all non-system stored procs have proper naming convention and don''t use prefixes like "sp_"
if ( $proc.Name.IndexOf("sp_") -eq -1 -and $proc.Name.IndexOf("xp_") -eq -1 -and $proc.Name.IndexOf("dt_") -eq -1)
$fileName = $proc.name
"Scripting SP $fileName"
$scriptfile = "$rootDrive\DatabaseScripts\$sqlDatabaseName\$strDate\StoredProcedures\$filename.sql"
New-Item $rootDrive\DatabaseScripts -type directory -force | out-null
New-Item $rootDrive\DatabaseScripts\$sqlDatabaseName -type directory -force | out-null
New-Item $rootDrive\DatabaseScripts\$sqlDatabaseName\$strDate -type directory -force | out-null
New-Item $rootDrive\DatabaseScripts\$sqlDatabaseName\$strDate\StoredProcedures -type directory -force | out-null
# SetScriptOptions
$MyScripter.Options.FileName = $scriptfile
#AppendTofile has to be ''true'' in order that all the procs'' scripts will be appended at the end
$MyScripter.Options.AppendToFile = "true"
$MyScripter.Script($proc)|out-null
Thanks
gv
Sword

You can exclude encrypted stored procedure using $_.IsEncrypted member.
$storedProcs = $db.StoredProcedures | Where-object { $_.schema -eq $schema -and -not $_.IsSystemObject -and -not $_.IsEncrypted}
$server = "localhost"
$database = "PowerSQL"
$output_path = "F:\PowerSQL\"
$schema = "dbo"
$storedProcs_path = "$output_path\StoredProcedure\"
[System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SqlServer.SMO") | out-null
$srv = New-Object "Microsoft.SqlServer.Management.SMO.Server" $server
$db = New-Object ("Microsoft.SqlServer.Management.SMO.Database")
$tbl = New-Object ("Microsoft.SqlServer.Management.SMO.Table")
$scripter = New-Object ("Microsoft.SqlServer.Management.SMO.Scripter") ($server)
# Get the database and table objects
$db = $srv.Databases[$database]
$storedProcs = $db.StoredProcedures | Where-object { $_.schema -eq $schema -and -not $_.IsSystemObject -and -not $_.IsEncrypted}
# Set scripter options to ensure only data is scripted
$scripter.Options.ScriptSchema = $true;
$scripter.Options.ScriptData = $false;
#Exclude GOs after every line
$scripter.Options.NoCommandTerminator = $false;
$scripter.Options.ToFileOnly = $true
$scripter.Options.AllowSystemObjects = $false
$scripter.Options.Permissions = $true
$scripter.Options.DriAllConstraints = $true
$scripter.Options.SchemaQualify = $true
$scripter.Options.AnsiFile = $true
$scripter.Options.EnforceScriptingOptions = $true
function CopyObjectsToFiles($objects, $outDir) {
if (-not (Test-Path $outDir)) {
[System.IO.Directory]::CreateDirectory($outDir)
foreach ($o in $objects) {
if ($o -ne $null) {
$schemaPrefix = ""
if ($o.Schema -ne $null -and $o.Schema -ne "") {
$schemaPrefix = $o.Schema + "."
$scripter.Options.FileName = $outDir + $schemaPrefix + $o.Name + ".sql"
Write-Host "Writing " $scripter.Options.FileName -ErrorAction silentlycontinue
$scripter.EnumScript($o)
# Output the scripts
CopyObjectsToFiles $storedProcs $storedProcs_path
Write-Host "Finished at" (Get-Date)
-Prashanth

Encrypt / Decrypt Procedure in PL/SQL

Hi,
Is using WRAP the only way to Encrypt Stored Procedure Code in PL/SQL? The requirement is that for a Product Implementation, the client would be provided with code base and application owners do not wish to reveal the business logic embedded in the Stored Procedures & Packages.
-Chinmay

Thanks - will proceed with using WRAP then.
By the way - I found a nice writeup on WRAP Utility - http://www.databasejournal.com/features/oracle/article.php/3382331
~Chinmay

Decrypt the Encrpted Stored procedure and views

Hi,
Anybody can help me, how to decrypt the encrypted stored procedure in SQL server.?

They are not encrypted. They are obfuscated. ApexSQL can show you the source code with the wink of an eye.
But before you do that - if this is a vendor application, check your license agreement.
Erland Sommarskog, SQL Server MVP, [email protected]

How to encrypt the source code of stored procedures ?

Is it possible to encrypt the source code of the stored procedures so no one can read the content. I want to deliver a compiled code not the source
Database 8i and later
thanks in advance

Wrap Utility<br>
<br>
Nicolas.

Stored procedure with encryption?

Hallo,
Is there a opportunity, to encrypt a stored procedure in Oracle 9i like in MS SQL Server?
Can I hide the content of a stored procedure, so not everbody is able to see the implementation?
When yes, how?
Best regards
Stephan Schneider

You can hide your source by Wrapping. It is a very old feature of Oracle (probably it was there in Oracle 7.3 or before also).
http://download-west.oracle.com/docs/cd/A87860_01/doc/appdev.817/a77069/c_wrap.htm#1859

URGENT: Java stored procedure on oracle 92 database is not working

Hi,
I am having an issue regarding java stored procedures. I have created a java class that uses the bouncycastleprovider ( bcprov-jdk13-141.jar ) to encrypt strings. I tested against the version of the java virtual machine that comes bundled with oracle and it works perfectly. I then used JDeveloper to load the class on the database with the resolve, noverify and order flags checked and it shows no errors but when I try to execute the stored procedure it throws the following exception:
java.lang.ExceptionInInitializerError:
java.lang.SecurityException: Cannot set up certs for trusted CAs: java.net.MalformedURLException: no protocol: US_export_policy.jar
at javax.crypto.SunJCE_b.<clinit>(DashoA6275)
at javax.crypto.Cipher.a(DashoA6275)
at javax.crypto.Cipher.getInstance(DashoA6275)
at RijndaelEnhanced.encrypt(RijndaelEnhanced.java:57)
at RijndaelEnhanced.encrypt(RijndaelEnhanced.java:73)
I loaded jce1_2_2.jar, sunjce_provider.jar, bcprov-jdk13-141.jar. Also replaced the US_export_policy.jar, local_policy.jar with the unrestrictive version. I add the security provider dinamically with a call to Security.insertProviderAt(new org.bouncycastle.jce.provider.BouncyCastleProvider(), 2);
I also did a select on the user_objects table and all the classes are in VALID status.
When I run my application using the java virtual machine that is located under C:\Oracle\oracli9i\jdk\jre\bin directory it works fine but when I try to execute on the database it won't work. I found a bug that was if the jce1_2_1.jar file existed in the C:\Oracle\oracli9i\jdk\jre\lib\ext directory ( even if it's extension is renamed ) it won't work because the certification file had expired but I don't know if this has anything to do with this error.
Am I missing something?
Please I need an urgent solution to this problem.
Thanks in advance.
Bruno Oliveira

SomeoneElse wrote:
Waaaaahhhhhhh!I was just thinking the same thing.... ya beat me to it...
To the OP:
As an up and coming DB Developer who now works for a small tech firm straight outta college, I can tell you for sure that you will definitely not get anywhere in your impatient life... look behind your back you miserable dude, your job might be in danger since ya got a bad attitude AND you can't figure out an error you are getting from a Java SP. So instead of helping you, I am going to simply tell you how you SHOULD act in a community of practice.
1. Be nice when looking for help
2. BE NICE WHEN LOOKING FOR HELP!!!
Pretty simple right?
Know what else is really simple? Looking at the topics of each board to make sure ya post in the right board! You people disgust me; somehow getting by in your professional career acting the way you do. I sure hope your "online" persona isn't a reflection of your real attitude towards people, almost pathetic and extremely immature.
Sorry bout the rant, it is Friday, I know :) Didn't get my coffee this morning. Have a good one all!
-Tim

Calling Stored Procedure from JDBC MSSQL

Ok, I have a stored procedure on a MsSQL Server 2000 data base. I need to call it to encrypt/decrypt passwords, my problem is when I run it from Query Analyzer it works fine but not in JDBC land. Below I have included my code. I have read you need to use a callable statement, but my query has a proc call embedded in it, not just a proc call. Anyone know how this would be accomplished?
THanks in Advance
try {
               // create an insert query
               StringBuffer query = new StringBuffer();
               // add strings and variables to query
               query.append("INSERT INTO ");
               query.append("users (Company, FirstName, LastName, Username, ");
               query.append("Password, Email) ");
               query.append("values(");
               query.append("'" + form.getCompany() + "', ");
               query.append("'" + form.getFirstName() + "', ");
               query.append("'" + form.getLastName() + "', ");
               query.append("'" + form.getUsername() + "', ");
               query.append("dbo.fn_sys_encryptpwd('" + form.getPassword() + "', '" + key + "'), " );
               query.append("'" + form.getEmail() + "')");
               // get the datasource from the From the context
               DataSource dataSource = ResourceLocator.getRCDataSource();
               // open a connection
               Connection conn = dataSource.getConnection();
               // make a statement and execute it
               CallableStatement statement = conn.prepareCall(query.toString()) ;
               //Statement statement = conn.createStatement();
               statement.execute();
               // Insert has been performed...destroy the statement and connection.
               statement.close();
               conn.close();
          }

I tried with Statement first then I tried with the PreparedStatement, but neither one worked. I have inlcuded part of the stackTrace to give you an idea of my problem
Thanks
java.sql.SQLException: [Microsoft][SQLServer 2000 Driver for JDBC][SQLServer]Invalid object name 'dbo.fn_sys_encryptpwd'.
at com.microsoft.jdbc.base.BaseExceptions.createException(Unknown Source
at com.microsoft.jdbc.base.BaseExceptions.getException(Unknown Source)
at com.microsoft.jdbc.sqlserver.tds.TDSRequest.processErrorToken(Unknown
Source)
at com.microsoft.jdbc.sqlserver.tds.TDSRequest.processReplyToken(Unknown
Source)
at com.microsoft.jdbc.sqlserver.tds.TDSExecuteRequest.processReplyToken(
Unknown Source)
at com.microsoft.jdbc.sqlserver.tds.TDSRequest.processReply(Unknown Sour
ce)
at com.microsoft.jdbc.sqlserver.SQLServerImplStatement.getNextResultType
(Unknown Source)
at com.microsoft.jdbc.base.BaseStatement.commonTransitionToState(Unknown
Source)
at com.microsoft.jdbc.base.BaseStatement.postImplExecute(Unknown Source)
at com.microsoft.jdbc.base.BasePreparedStatement.postImplExecute(Unknown
Source)
at com.microsoft.jdbc.base.BaseStatement.commonExecute(Unknown Source)
at com.microsoft.jdbc.base.BaseStatement.executeInternal(Unknown Source)
at com.microsoft.jdbc.base.BasePreparedStatement.execute(Unknown Source)
at org.apache.tomcat.dbcp.dbcp.DelegatingPreparedStatement.execute(Deleg
atingPreparedStatement.java:168)
at com.retailcode.web.data.dao.LoginDAO.createLogin(LoginDAO.java:81)
at com.retailcode.web.submit.SubmissionServlet.postRegister(SubmissionSe
rvlet.java:226)
at com.retailcode.web.submit.SubmissionServlet.doPost(SubmissionServlet.
java:47)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:709)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl
icationFilterChain.java:252)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF
ilterChain.java:173)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperV
alve.java:213)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextV
alve.java:178)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.j
ava:126)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.j
ava:105)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineVal
ve.java:107)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.jav
a:148)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java
:869)
at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.p
rocessConnection(Http11BaseProtocol.java:664)
at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpo
int.java:527)
at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFol
lowerWorkerThread.java:80)
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadP
ool.java:684)
at java.lang.Thread.run(Unknown Source)

How to create a stored procedure and use it in Crystal reports

Hi All,
Can anyone explain me how to create a stored procedure and use that stored procedure in Crystal reports. As I have few doubts in this process, It would be great if you can explain me with a small stored proc example.
Thanks in advance.

If you are using MSSQL SERVER then try creating a stored procedure like this
create proc Name
select * from Table
by executing this in sql query analyzer will create a stored procedure that returns all the data from Table
here is the syntax to create SP
Syntax
CREATE PROC [ EDURE ] procedure_name [ ; number ]
    [ { @parameter data_type }
        [ VARYING ] [ = default ] [ OUTPUT ]
    ] [ ,...n ]
[ WITH
    { RECOMPILE | ENCRYPTION | RECOMPILE , ENCRYPTION } ]
[ FOR REPLICATION ]
AS sql_statement [ ...n ]
Now Create new report and create new connection to your database and select stored procedure and add it to the report that shows all the columns and you can place the required fields in the report and refresh the report.
Regards,
Raghavendra
Edited by: Raghavendra Gadhamsetty on Jun 11, 2009 1:45 AM

How to use signed classes/Jars in Java Stored Procedure?

I am using java encryption API in my java application that I want to deploy as java stored procedure. The API is kept in the signed jar files.
The Application is running in the MS-DOS environment but not in Oracle8i.
It gives me following error.
java.lang.ExceptionInInitializerError: java.lang.SecurityException: Cannot set
up certs for trusted CAs
at javax.crypto.b.<clinit>([DashoPro-V1.2-120198])
at javax.crypto.KeyGenerator.getInstance([DashoPro-V1.2-120198])
at DesKey.GenerateKey(DesKey.java:63)
declare
ERROR at line 1:
ORA-29532: Java call terminated by uncaught Java exception:
java.lang.ExceptionInInitializerError
ORA-06512: at line 4
(Note: I have enabled the java output in SQL Plus editor otherwise it will give only the second part of error that starts from ERROR at line 1:)
please guide me how to solve this problem.
Salman Hameed

Salman,
If you do not get a reply on this forum, I recommend you post this question on the Oracle JVM discussion forum as well.
In addition, I would recommend checking the documentation for Oracle8i. The Oracle8i Java Developer's Guide, the Java Stored Procedures Guide, and the JDBC Developer's guide may have some information on this topic. You can get to this doc from the OTN Documentation page. Click on Oracle8i, then General Documentation, Release 2 (8.1.6), then scroll down to see the link for the Oracle8i Java Developer's documetation. All of the books mentioned above are available from that link.

Stored procedure: how to return multline table

Environment: SQL Server 2008 R2, Windows
Tools: MSMS 2008 R2
Code:
CREATE PROCEDURE [dbo].[Cleanup]
(@id CHAR(12)
,@Date DATETIME
,@ID int OUT
,@Ln_ID CHAR(10) OUT
,@qcdate DATETIME OUT
,@P4 VARCHAR(8000)OUT
,@P9 VARCHAR(8000) OUT
,@P11 VARCHAR(8000) OUT
) WITH ENCRYPTION
AS
BEGIN
Update Table_mocha
SET P4=Replace(PE4,RTRIM(Cast(Q_ID as varchar(10))), '')
where id=@id and order_dt=@Date
Update Table_mocha
SET P4 = NullIf(P4,'')
where id=@id and order_dt=@Date
Update Table_mocha
SET P4=LTRIM(RTRIM(P4))
where id=@id and order_dt=@Date
SELECT @id=id, ln_id=@ln_id,@p4=p4, @p9=P9,@p11=P11
where id=@id and order_dt=@Date
Problem: having three updates would cause the database to lock. How would I pass input paramaters for those three updates in SP. How would I update multiple tables, how to avoid database lock, how to return multi-statment table - value (display
table contains multiple records)

I prefer to use different stored procedures to do different things.
CREATE PROCEDURE [dbo].usp_updatedata
(@id CHAR(12)
,@Date DATETIME
AS
BEGIN
Update Table_mocha
SET P4=LTRIM(RTRIM(Nullif(Replace(PE4,RTRIM(Cast(Q_ID as varchar(10))), ''),'')))
where id=@id and order_dt=@Date
End
CREATE PROCEDURE [dbo].usp_getData
(@id CHAR(12)
,@Date DATETIME
AS
BEGIN
SET NOCOUNT ON;
SELECT id, ln_id,p4, P9,P11
where id=@id and order_dt=@Date
End

Reconfigure in stored procedure

Hi,
I'm trying let my users reconfigure my server via a script, but get this error when trying to run as the end user:
Msg 15247, Level 16, State 1, Procedure sp_configure, Line 94
User does not have permission to perform this action.
Msg 5812, Level 14, State 1, Procedure MBMasterAllowConfigure, Line 18
You do not have permission to run the RECONFIGURE statement.
Msg 15123, Level 16, State 1, Procedure sp_configure, Line 51
The configuration option 'xp_cmdshell' does not exist, or it may be an advanced option.
Msg 5812, Level 14, State 1, Procedure MBMasterAllowConfigure, Line 21
You do not have permission to run the RECONFIGURE statement.
I have created a sqluser is master DB (sa_MBserverRole) for only this purpose. My procedure in master looks like this:
ALTER PROCEDURE [dbo].[MBMasterAllowConfigure]
WITH EXECUTE AS 'sa_MBserverRole'
AS
BEGIN
SET NOCOUNT ON;
EXEC sp_configure 'show advanced options', 1
RECONFIGURE
EXEC sp_configure 'xp_cmdshell', 1
RECONFIGURE
END
When logging in as the sa_MBserverRole user running:
use master
select suser_sname()
SELECT
FROM
fn_my_permissions(NULL,
'SERVER');
Giving the result:
sa_MBserverRole
server  CONNECT SQL
server  ALTER SETTINGS
server  VIEW ANY DATABASE
Seems as it doesn't matter who I'm logged in as, since the procedure cannot run the reconfigure command anyhow.
I tried to read Erlands excellent article at http://www.sommarskog.se/grantperm.html#EXECUTE_AS but maybe it's too complicated for me.
Could someone help me?
Best regards /Magnus
Magnus Burk

Hi,
I have now succeeded to read and use your code/article. Thanks a lot!
I ended up with a trigger calling an SP instead of function, as you recommended Erland.
I used this complete code:
--STEP 1
-- If they exists, remove files C:\temp\cert\saMBCert.cer and C:\temp\cert\saMBCert.pvk
--STEP 2
-- This steps create all necessary users, cert, singings to make this work
/******************* P R I M A R Y D B ******************/
use Control_Test
DROP SIGNATURE FROM MB_CheckOtherDBDemo BY CERTIFICATE sa_MBCert
DROP USER sa_MB
DROP CERTIFICATE sa_MBCert
DROP PROCEDURE [dbo].[MB_CheckOtherDBDemo]
CREATE CERTIFICATE sa_MBCert
ENCRYPTION BY PASSWORD = 'My pwd 2014' WITH SUBJECT = 'cross DB cert',
START_DATE = '05/07/2014', EXPIRY_DATE = '10/31/2025';
CREATE USER sa_MB FROM CERTIFICATE sa_MBCert
GO
CREATE PROCEDURE [dbo].[MB_CheckOtherDBDemo]
AS
BEGIN
declare @sqlstring nvarchar(500)
set @sqlstring = N'select no from controldk_test.dbo.clientx'
exec sp_executesql @sqlstring
END
GO
GRANT SELECT ON clientx TO sa_MB
GRANT EXECUTE ON MB_CheckOtherDBDemo TO Lindgren
GRANT EXECUTE ON MB_CheckOtherDBDemo TO sa_MB
ADD SIGNATURE TO MB_CheckOtherDBDemo BY CERTIFICATE sa_MBCert
WITH PASSWORD = 'My pwd 2014'
BACKUP CERTIFICATE sa_MBCert TO FILE = 'C:\Temp\cert\saMBCert.cer'
WITH PRIVATE KEY (FILE = 'C:\Temp\cert\saMBCert.pvk' ,
ENCRYPTION BY PASSWORD = 'My pwd 2014',
DECRYPTION BY PASSWORD = 'My pwd 2014')
/******************* O T H E R D B ******************/
USE ControlDK_Test
DROP USER sa_MB
DROP CERTIFICATE sa_MBCert
CREATE CERTIFICATE sa_MBCert FROM FILE = 'C:\temp\cert\saMBCert.cer'
WITH PRIVATE KEY (FILE = 'C:\temp\cert\saMBCert.pvk',
DECRYPTION BY PASSWORD = 'My pwd 2014',
ENCRYPTION BY PASSWORD = 'My pwd 2014')
CREATE USER sa_MB FROM CERTIFICATE sa_MBCert
GRANT SELECT ON clientx TO sa_MB
GRANT SELECT ON objectx TO sa_MB
--STEP 3
-- This step is when changing the stored procedure
USE Control_Test
GO
ALTER PROCEDURE [dbo].[MB_CheckOtherDBDemo]
@objtype int, -- -1=cid, 1-8=object 1-8
@objval varchar(10)
AS
BEGIN
declare @sqlcrit varchar(100)
if @objtype not in (-1,1,2) return 0
if @objtype=-1 set @sqlcrit='clientx where no='+@objval
if @objtype in (1,2) set @sqlcrit='objectx where no='+cast(@objtype as char(1))+' and object='+@objval
declare @otherdb varchar(20)
if (select db_Name()) = 'Control' set @otherdb='ControlDK'
if (select db_Name()) = 'ControlDK' set @otherdb='Control'
if (select db_Name()) = 'ControlDK_Test' set @otherdb='Control_Test'
if (select db_Name()) = 'Control_Test' set @otherdb='ControlDK_Test'
declare @count int
DECLARE @ParamDefinition nvarchar(500)
SET @ParamDefinition = N'@countOUT int OUTPUT'
declare @sqlstring nvarchar(500)
set @sqlstring = N'select @countOUT = count(*) from '+@otherdb+'.dbo.'+@sqlcrit
exec sp_executesql @sqlstring, @ParamDefinition, @countOUT=@count OUTPUT
return @count
END
GO
ADD SIGNATURE TO MB_CheckOtherDBDemo BY CERTIFICATE sa_MBCert
WITH PASSWORD = 'My pwd 2014'
Everything seems to work as it should, and I am very happy.
My first question was about RECONFIGURE and xp_cmdshell. I am still using this (with a job every minute), and might change it in the future when time arises ( probably never:-)). Erland: What do you mean with clear the plan cache?
Thanks again, and have a nice weekend
/Magnus
Magnus Burk

Securely calling stored procedure with APEX URL

I have a web server that needs to call a stored procedure on an Oracle database (v10.2.0.4.0-64bit), and to do so without storing schema credentials on the web server it has been recommended to call the procedure using a URL to APEX, and granting execute privileges on the package storing the procedure to APEX_PUBLIC_USER. However, this allows anyone on the network to call the procedure if they have the URL. Is there any way to make sure that either Apex or the procedure only responds directly to requests from the web server?

Nick,
Assuming you are talking about application server ( not web server ).
It is common practice to create new user on Oracle database (often called proxy user, so you don't have to use schema credentials). Grant this user privileges to call package you need. Then on application server store encrypted credentials for this new user.
Application (java or .net) then connects to Oracle using new user credentials and executes packaged procedure.
Using Apex is the same. You need to have Authentication enabled (hence to store user id and password). If not, it is not secure.
Making any application (including Apex) to respond to request from specific IP is possible by inspecting ip from request header (Apex : UTL_HTTP.GET_HEADER ).
There are problems however:
1.If connection is made by proxy, request ip can change.
2.Hackers can use "ip spoofing" to emulate request from permitted server.
Another option would be to set up proxy server rules, permitting traffic between selected servers only.
HTH
Thomas

Calling stored procedure from Apex

I am a total newbie at Apex so any help would be appreciated. My situation:
I created Apex app with few forms and reports. Since I want to implement security for some tables, example:
Table Employee has columns email and credit_card_num. These 2 columns are encrypted using DBMS_CRYPTO.
My Oracle Database version in Oracle XE 11g Release 2.
So I have stored procedure and package for encryption and decryption using dbms_crypto.
When I add new employee in APEX form email and credit card number are passed as plain text and saved on that way in database.
1. How can I make it to be saved as encrypted value using package and procedures I've created in the database (to parse the inserted value to function)?
2. Since I am a total dummy and newbie at Apex can anyone explain me how does Apex really work? Is the inserted data sent in plain text or encrypted over network?
Thank you

84e45717-06df-499e-a789-5312b7434a74 wrote:
1. How can I make it to be saved as encrypted value using package and procedures I've created in the database (to parse the inserted value to function)?
You have a few options. You can create a Process (after submit process) that calls your code.
For example, if your form is on Page 2 and you're saving the EMP table your process could look like this:
begin
app_util.emp_save_secure(p_EMPNO => :P2_EMPNO
, p_ename => :P2_ENAME
, p_deptno => :P2_DEPTNO);
end;
Here of course app_util is your own package (with any name you want) and emp_save_secure is the procedure that will receive the params to save.
You could also use the APEX wizard to create a form on the Procedure then edit the code as you need. It would be almost the same result, but probably less typing and less typos.
2. Since I am a total dummy and newbie at Apex can anyone explain me how does Apex really work? Is the inserted data sent in plain text or encrypted over network?
Thank you
Like any web page, if your connection is done with HTTPS then the data from the browser to the webserver will be encrypted and that's all completely transparent to you. If your call is HTTP then it will be done in clear text.
To setup an SSL connection that uses HTTPS you'll need to create a certificate on the server and configure HTTPS. This is better done by a DBA that knows what they are doing.
Thanks
-Jorge
http://rimblas.com/blog/

Encrypt stored procedure

Similar Messages

Maybe you are looking for