Execute all SQL code as individual Oracle user, not APEX_PUBLIC_USER
Is it possible to get APEX to execute SQL code as the user's existing Oracle database user instead of APEX_PUBLIC_USER?
Besides having all of the security already defined for each of the existing users at the database level, the existing application also handles generating audit trails with triggers that pull the username executing the SQL instead of accepting passed values. At the moment APEX_PUBLIC_USER is plastered everywhere as the user that generated the changes.
rcy_evdriver wrote:
Is it possible to get APEX to execute SQL code as the user's existing Oracle database user instead of APEX_PUBLIC_USER? No. See:
{message:id=926724}
{message:id=1224601}
{message:id=1606515}
Application Express and parsing of SQL
Besides having all of the security already defined for each of the existing users at the database level, the existing application also handles generating audit trails with triggers that pull the username executing the SQL instead of accepting passed values. At the moment APEX_PUBLIC_USER is plastered everywhere as the user that generated the changes.Using DAD Credentials Verification will cause the database user to be returned by the <tt>USER</tt> pseudo-column. (However just because you can do this, it doesn't mean you should.)
{message:id=9680421}
Why are you asking this? +"At the moment APEX_PUBLIC_USER is plastered everywhere as the user that generated the changes"+ indicates that it might be a bit late to be making fundamental discoveries about APEX and database security?
Similar Messages
-
Bat file execute all *.sql files in a folder
Hi all,
How to write a *.bat file to execute all *.sql files in a folder?
Because have about 20 *.sql file in a folder. There are used to fix data in my database. The number of *.sql file increases day by day. So I want to write a *.bat file to execute all *.sql file in the folder. Since I just run this *.bat file.
Mai Thanh Hải.user545846 wrote:
Hi
I have done this many times. can guide you. :)And did it fail to work all the times you tried it?
c:\>type test1.sql
select 1 from dual;
exit
c:\>type test2.sql
select 2 from dual;
exit
c:\>sqlplus scott/tiger@testdb @c:\test*.sql
SQL*Plus: Release 10.2.0.3.0 - Production on Thu Aug 6 12:37:04 2009
Copyright (c) 1982, 2006, Oracle. All Rights Reserved.
Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production
With the Partitioning, OLAP and Data Mining options
SP2-0556: Invalid file name.
SQL> exit
Disconnected from Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production
With the Partitioning, OLAP and Data Mining optionsWildcards in SQL*Plus filenames don't work. So why do you suggest that?
Better is to use the DOS command FOR...
c:\>for %i in (test*.sql) do sqlplus scott/tiger@testdb @%i
c:\>sqlplus scott/tiger@testdb @test1.sql
SQL*Plus: Release 10.2.0.3.0 - Production on Thu Aug 6 12:38:06 2009
Copyright (c) 1982, 2006, Oracle. All Rights Reserved.
Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production
With the Partitioning, OLAP and Data Mining options
1
1
Disconnected from Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production
With the Partitioning, OLAP and Data Mining options
c:\>sqlplus scott/tiger@testdb @test2.sql
SQL*Plus: Release 10.2.0.3.0 - Production on Thu Aug 6 12:38:06 2009
Copyright (c) 1982, 2006, Oracle. All Rights Reserved.
Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production
With the Partitioning, OLAP and Data Mining options
2
2
Disconnected from Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production
With the Partitioning, OLAP and Data Mining options
c:\>... although even better would be to proceduralise the SQL into packages/procedures on the database and have just a single procedure call do all the work. -
Dynamic action - execute pl/sql code
Hi All and thanks fro any assistance.
I am trying to Execute the following pl/sql Code in a dynamic action however get the following error - AJAX call returned server error ORA-01403: no data found for Execute PL/SQL code.
I have all page items iin the page items to submit section.
declare
l_file_comments IMM_DOCUMENTS.FILE_COMMENTS%type;
l_file IMM_DOCUMENTS.FILE_BLOB%type;
l_filename IMM_DOCUMENTS.FILENAME%type;
l_mimetype IMM_DOCUMENTS.FILE_MIMETYPE%type;
l_charset IMM_DOCUMENTS.FILE_CHARSET%type;
begin
select f.blob_content,
f.filename,
f.mime_type,
nvl(f.file_charset, f.dad_charset)
into l_file,
l_filename,
l_mimetype,
l_charset
from wwv_flow_files f
where f.name = :P80_FILE;
if l_file is not null then
insert into IMM_DOCUMENTS
sub_id,
document_type_id,
filename,
file_blob,
file_comments,
file_mimetype,
file_charset
values
:P80_SUB_ID,
:P80_DOCUMENT_TYPE_ID,
l_filename,
l_file,
:P80_FILE_DESCRIPTION,
l_mimetype,
l_charset
delete from wwv_flow_files where name = :P80_FILE;
end if;
end;Hi Marie,
as Matthew says, the only part of the code that could result in that error is the select into statement. This is because, in pl/sql, a select into statement is expected to return one row only. If it returns no rows it raises a no data found exception and if it returns more than one row it raises a too many rows error.
If it is acceptable that this query may return no rows, then you have to handle this situation. The two methods that you can use would be firstly to use a named cursor and fetch a row from this, if there is no data then it does not raise an exception. The other method would be to put in an exception handler around the select statement.
EG - prefered, mainly because I think it is better to code in a way that minimises exception handling.
declare
l_file_comments IMM_DOCUMENTS.FILE_COMMENTS%type;
l_file IMM_DOCUMENTS.FILE_BLOB%type;
l_filename IMM_DOCUMENTS.FILENAME%type;
l_mimetype IMM_DOCUMENTS.FILE_MIMETYPE%type;
l_charset IMM_DOCUMENTS.FILE_CHARSET%type;
CURSOR file_cur IS
select f.blob_content,
f.filename,
f.mime_type,
nvl(f.file_charset, f.dad_charset)
from wwv_flow_files f
where f.name = :P80_FILE;
begin
OPEN file_cur;
FETCH file_cur INTO
l_file,
l_filename,
l_mimetype,
l_charset;
CLOSE file_cur;
if l_file is not null then
insert into IMM_DOCUMENTS
sub_id,
document_type_id,
filename,
file_blob,
file_comments,
file_mimetype,
file_charset
values
:P80_SUB_ID,
:P80_DOCUMENT_TYPE_ID,
l_filename,
l_file,
:P80_FILE_DESCRIPTION,
l_mimetype,
l_charset
delete from wwv_flow_files where name = :P80_FILE;
end if;
end;
OR
declare
l_file_comments IMM_DOCUMENTS.FILE_COMMENTS%type;
l_file IMM_DOCUMENTS.FILE_BLOB%type;
l_filename IMM_DOCUMENTS.FILENAME%type;
l_mimetype IMM_DOCUMENTS.FILE_MIMETYPE%type;
l_charset IMM_DOCUMENTS.FILE_CHARSET%type;
begin
BEGIN
select f.blob_content,
f.filename,
f.mime_type,
nvl(f.file_charset, f.dad_charset)
into l_file,
l_filename,
l_mimetype,
l_charset
from wwv_flow_files f
where f.name = :P80_FILE;
EXCEPTION
WHEN no_data_found THEN
NULL;
END;
if l_file is not null then
insert into IMM_DOCUMENTS
sub_id,
document_type_id,
filename,
file_blob,
file_comments,
file_mimetype,
file_charset
values
:P80_SUB_ID,
:P80_DOCUMENT_TYPE_ID,
l_filename,
l_file,
:P80_FILE_DESCRIPTION,
l_mimetype,
l_charset
delete from wwv_flow_files where name = :P80_FILE;
end if;
end;Note : code is untested.
Regards
Andre -
Executing a SQL Inseert as a DB User instead of htmldb_public_user
Hi,
There are quite a few posts on this topic, but no direct answer.
In one of Scott's posts, he says:
'If you use HTML DB Account/LDAP/SSO/roll-your-own authentication and your named HTML DB session user is MIKE, HTML DB will execute your SQL or PL/SQL as the application's schema connected as HTMLDB_PUBLIC_USER and everything your code does inside the database will be as user HTMLDB_PUBLIC_USER .... '
In same post he says that if you use DB_authentication, the SQL is executed as the DB user.
We are putting the finishing touches on an application that needs to write to a DB which contains a trigger on it enforcing a rule that the insert user has to be a database user.
The problems/background to the issue we have are:
1. We want to use ldap - so we don't have to register everyone on that DB
2. Even if we didn't want to use LDAP, we can't get people to log onto the database anyway - as the application has a weird setup where the database username = application userame, but application password <> database password - and no user knows their database password (so they can't sneak around the back end).
3. We can't create a user htmldb_public_user on that database as it has a 10 char restriction on usernames
I guess It's the same question as:
How to execute a plsql with another db user but not HTMLDB_PUBLIC_USER?
but this was never expanded/answered.
What are my options?
A. Can I change htmldb_public_user to another username that is on the database?
or preferably
B. Can I somehow get the SQL to be run using the username that logged into htmldb?
...David.Hi Scott,
1) If you cannot create database users > 10 chars, how did you install HTML DB with its default schemas FLOWS_010600, FLOWS_020000, or FLOWS_FILES? We can create these users directly on the database for htmldb, but the application that we have on that same database does not let us create usernames > 10 char - and it is this application (a 3rd party system we have no control over) that enforces the database trigger for the user to be registered on their system when we try and update some of their data.
ie - we have a 3rd party database structure that we are sitting html db on top of to do reports and some updates where that system is inefficient. We have to work around that 3rd party's security as we have no way of changing it or getting them to change it.
2) You cannot safely use an alternative user to HTMLDB_PUBLIC_USER. Okay. That's nice to know as we were about to try that option.
Scott: having seen hopefully a bit more detail in the reply to 1 above - can you see what the question is now? ie - if we authenticate in htmldb using ldap, can we run a insert or update sql somehow within the htmldb application using a different account to htmldb_public_user so that we can fit in with the security restraints of this 3rd party system?
As I have said, we cannot use database authentication as the setup on this 3rd party system is very strange - it has a separate application based password for users compared to the user's database password , and we cannot give the users the database password (so they can log into htmldb) as it constitutes a security risk.
I am toying with the idea of creating a staging table that contains triggers to update the real table owned by the 3rd party application's schema, but haven't managed to get it working yet. -
i have oracle 10g on linux...today for some prob. my linux server is hangup... then after restrt it... all my oracle user (Which i have Created) was block..i can not loginto my created user using sql plus... where as sys and system user are open...WHY?
what should i do ?...What will be the problem ?
pl. reply
i have create new user also but ...i fail to connect
Message was edited by:
piyukharwarPlease, specify, are you using the password feature in the user's profile? You can check this from the DBA_PROFILES and the DBA_USERS views.
On the other hand, if this is not letting you enter the sqlplus session, could you speficy the error message displayed when you attempt to connect?
~ Madrid
http://hrivera99.blogspot.com -
Executing PL/SQL Commands.. Oracle API newbie
Hi,
I am using Oracle 10G and am calling stored procedures from my code written in C#.
Currently I am getting the following error when the stored procedure is called:
ORA-06550: line 1, column 7: PLS-00306: wrong number or types of arguments in call to 'SP_COURSE_GET' ORA-06550: line 1, column 7: PL/SQL: Statement ignored
.. from a recent thread someone was able to point me in the right direction and suggest that the error was in the way I was calling the stored procedure
Now that I have resolved the previous issue, I need to be able to add the additional two lines (lines 1 & 3) to my code so that the table is returned after executing the stored procedure
var vrct refcursor // line 1
exec sp_course_get(501,:vrct)
print vrct // line 3
My code currently looks like
cmd.Connection = conn;
cmd.CommandText = sStoredProc;
cmd.CommandType = CommandType.StoredProcedure;
// add the parameters
int iNumParams = 0;
if (null!= arParams)
iNumParams = arParams.Length / 2; // divide by 2 b/c length is total # of items, not the # of rows
for (int i=0; i<iNumParams; i++)
cmd.Parameters.Add(new OracleParameter(arParams[i,0].ToString(), arParams[i,1]));
// add the output param
OracleParameter output = null;
if (OracleType.Int32 == oType)
output = cmd.Parameters.Add(new OracleParameter(sOutputName, oType));
else
output = cmd.Parameters.Add(new OracleParameter(sOutputName, oType, size));
output.Direction = ParameterDirection.Output;
cmd.ExecuteNonQuery();
Can an expert advise the best way for me to send the declaration of the cursor variable and the print command for the cursor to the database. At the moment I am just calling the stored procedure. Thank you in advance for your help
Cheers> Does that look right or is there any easier way to pass the 3 lines thru to
the database
ie 1 var vrct refcursor
2 exec sp_course_get(501,:vrct)
3 print vrct
The VRCT output variable needs to be a client cursor in the client language you're using. Simply put - when you define a variable in C/C++/C# and pass that to Oracle via a PL/SQL call, that variable has to match the data type that PL/SQL expects. And vice verse.
Line 1 above:
var vrct refcursor]
..is exactly that. The client "language" is SQL*Plus. A client variable is defined in the language. It is a client cursor (aka reference cursor). The output from PL/SQL (a reference cursor) can now be stored in the client variable. This client variable can now be used by the client to fetch rows from the cursor and display them - which is what the above SQL*Plus PRINT command does.
Okay, so in .NET (which I assume you're using) you need to use the correct variables/parameters to set your local client variable equal to the output from PL/SQL ref cursor.
[url http://download-east.oracle.com/docs/cd/B19306_01/win.102/b14307/featRefCursor.htm]Oracle® Data Provider for .NET Developer's Guide lists the following example:
The following example demonstrate passing a REF CURSOR:
connect scott/tiger@oracle
create table test (col1 number);
insert into test(col1) values (1);
commit;
create or replace package testPkg as type empCur is REF Cursor;
end testPkg;
create or replace procedure testSP(param1 IN testPkg.empCur, param2 OUT NUMBER)
as
begin
FETCH param1 into param2;
end;
// C#
using System;
using Oracle.DataAccess.Client;
using System.Data;
class InRefCursorParameterSample
static void Main()
OracleConnection conn = new OracleConnection
("User Id=scott; Password=tiger; Data Source=oracle");
conn.Open(); // Open the connection to the database
// Command text for getting the REF Cursor as OUT parameter
String cmdTxt1 = "begin open :1 for select col1 from test; end;";
// Command text to pass the REF Cursor as IN parameter
String cmdTxt2 = "begin testSP (:1, :2); end;";
// Create the command object for executing cmdTxt1 and cmdTxt2
OracleCommand cmd = new OracleCommand(cmdTxt1, conn);
// Bind the Ref cursor to the PL/SQL stored procedure
OracleParameter outRefPrm = cmd.Parameters.Add("outRefPrm",
OracleDbType.RefCursor, DBNull.Value, ParameterDirection.Output);
cmd.ExecuteNonQuery(); // Execute the anonymous PL/SQL block
// Reset the command object to execute another anonymous PL/SQL block
cmd.Parameters.Clear();
cmd.CommandText = cmdTxt2;
// REF Cursor obtained from previous execution is passed to this
// procedure as IN parameter
OracleParameter inRefPrm = cmd.Parameters.Add("inRefPrm",
OracleDbType.RefCursor, outRefPrm.Value, ParameterDirection.Input);
// Bind another Number parameter to get the REF Cursor column value
OracleParameter outNumPrm = cmd.Parameters.Add("outNumPrm",
OracleDbType.Int32, DBNull.Value, ParameterDirection.Output);
cmd.ExecuteNonQuery(); //Execute the stored procedure
// Display the out parameter value
Console.WriteLine("out parameter is: " + outNumPrm.Value.ToString());
}[url http://msdn2.microsoft.com/en-us/library/system.data.oracleclient.oracledatareader(vs.80).aspx]Microsoft Visual Studio 2005/.NET Framework 2.0 also shows some examples.
Which kinds of beg the question why did you not refer to the appropriate OracleDataReader documentation up front? It would seem that these manuals cover interaction with Oracle pretty well, and includes sample code. -
Need PL/SQL Code to get Oracle connection string
Hi
Could you please give any solution to below requirement?
Requirement :
I have an existing pl/sql program (Registered as concurrent Program) in which i am calling a "C" Program. The "C" program expects a parameter to pass the value of oracle connection string (userid/pwd@instance). The C Program takes the connection string to connect to oracle and manipulate data.
Question. How will I get Oracle userid,pwd and connection string being in PL/SQL Session so that it will run for every instance i move the code in.
Note :
1.) We have limitations to call another concurrent program to fetch these data.
2.) We cannot hard code the value in the program because of compliance issue.
Any example of code will help.
Thanks in Advance.
Cheers
SamarHi,
Check the below link, It might help you.
http://download.oracle.com/docs/cd/B13789_01/appdev.101/b10802/d_obtool.htm
http://download.oracle.com/docs/cd/B10501_01/appdev.920/a96590/adgsec04.htm
Twinkle -
Avoid Hard Parsing for executing dynamic SQL using DUAL table Oracle
I want to know if dynamic sql statements involving DUAL table can be modified to remove HARD PARSING.
We have several SQL statements are stored in configuration table, here is sample example
-- query 1 before replacing index values as stored in config table ---
select count(*) from dual where 'REPLACE_VALUE_OF_INDEX_3' IN ('K')
AND (('REPLACE_VALUE_OF_INDEX_13' IN ('1053','1095','1199') ) OR ('REPLACE_VALUE_OF_INDEX_13' IN ('1200') ))
AND 'REPLACE_VALUE_OF_INDEX_2' IN ('6')
AND 'REPLACE_VALUE_OF_INDEX_15' IN ('870001305')
-- query 1 after replacing index values--
select count(*) from dual where 'REPLACE_VALUE_OF_INDEX_10' IN ('K')
AND (('1030' IN ('1053','1095','1199') ) OR ('1030' IN ('1200') ))
AND '2' IN ('6')
AND 'X' IN ('870001305')
-- query 2 before replacing index values as stored in config table --
select count(*) from dual where 'REPLACE_VALUE_OF_INDEX_5' IN ('361A','362A')
AND 'REPLACE_VALUE_OF_INDEX_22' BETWEEN '200707' AND '200806'
-- query 2 after replacing index values--
select count(*) from dual where '3MAA' IN ('361A','362A') AND '201304' BETWEEN '200707' AND '200806'If I got it right you have some (maybe lots of) conditions stored in a table (be patient - it's my interpretation)
create table eb_conditions as
select 1 rid,q'{:5 IN ('361A','362A') AND :3 BETWEEN '200707' AND '200806'}' cndtn from dual union all
select 2,q'{:2 IN ('361A','362A') AND :3 BETWEEN '200707' AND '200806'}' from dual union all
select 3,q'{:1 IN ('K') AND ((:2 IN ('1053','1095','1199') ) OR (:4 IN ('1200') )) AND :3 IN ('6') AND :5 IN ('870001305')}' from dual
RID
CNDTN
1
:5 IN ('361A','362A') AND :3 BETWEEN '200707' AND '200806'
2
:2 IN ('361A','362A') AND :3 BETWEEN '200707' AND '200806'
3
:1 IN ('K') AND ((:2 IN ('1053','1095','1199') ) OR (:4 IN ('1200') )) AND :3 IN ('6') AND :5 IN ('870001305')
and you have to check the conditions using values stored in an array
I used a table instead: the vl at rid = 1 representing the value of bind variable :1 in eb_conditions table and so on ...
create table eb_array as
select 1 rid,'K' vl from dual union all
select 2,'1199' from dual union all
select 3,'200803' from dual union all
select 4,'1000' from dual union all
select 5,'870001305' from dual
RID
VL
1
K
2
1199
3
200803
4
1000
5
870001305
You want to check the conditions using select count(*) from dual where <condition with binds substituted fron the array>
Judging from the title Hard Parsing represents the major problem and you cannot avoid it since every condition to be verified is different from every other condition.
I think your best bet is not to evaluate conditions row by row - context shift cannot be avoided and there might be more than one for each iteration.
So try to do it in a single step:
declare
w_cndtn varchar2(4000);
w_clob clob;
w_cursor sys_refcursor;
one number;
two number;
begin
dbms_lob.createtemporary(w_clob,false);
for rw in (select rid,
max(cndtn) cndtn,
listagg(val,',') within group (order by rn)||',' usng
from (select c.rid,c.cndtn,c.rn,c.bind,
replace(rtrim(c.bind),':'||to_char(v.rid),''''||v.vl||'''') val
from (select rid,
cndtn,
regexp_substr(cndtn,':\d+ ',1,level) bind,
level rn
from eb_conditions
connect by level <= regexp_count(cndtn,':')
and prior rid = rid
and prior sys_guid() is not null
) c,
eb_array v
where instr(c.bind,':'||v.rid||' ') > 0
group by rid
loop
w_cndtn := rw.cndtn;
while instr(w_cndtn,':') > 0
loop
w_cndtn := replace(w_cndtn,trim(regexp_substr(w_cndtn,':\d+ ',1,1)),substr(rw.usng,1,instr(rw.usng,',') - 1));
rw.usng := substr(rw.usng,instr(rw.usng,',') + 1);
end loop;
w_cndtn := 'select '||to_char(rw.rid)||' cndtn_id,count(*) from dual where '||w_cndtn||' union all ';
w_clob := w_clob ||' '||w_cndtn;
end loop;
w_clob := substr(w_clob,1,instr(w_clob,'union all',-1,1) - 1);
open w_cursor for w_clob;
loop
fetch w_cursor into one,two;
exit when w_cursor%notfound;
dbms_output.put_line(to_char(one)||':'||to_char(two));
end loop;
dbms_lob.freetemporary(w_clob);
end;
1:0
2:0
3:0
Statement processed.
Regards
Etbin -
Company codes assigned to a user not to a role
Hi -
We have set up our end user roles and now the requirement has come through that certain users should only have access to information based on company codes. Is there a way to assign a user to either 1 or several company codes, but not to all; and to not have to change all of the roles that she has access to?
Basically, assign a user to a specific company code, assign the necessary roles and have them only have access to that specific company codes information.
Thanks,
MargaretHello Margaret,
that is not possible.
You have to restrict the roles to the specific company codes. Think about the technology of derived roles. That might be the easiest way to adapt the roles.
Regards
Rainer -
Hi,
I would like to replicate a user from one database to another.
Is it possible to generate the SQL code that defines this user, in the purpose of apply this script on another database ?
Thanks.Hi
You can use DBMS_METADATA package:
SELECT DBMS_METADATA.GET_DDL('USER', 'GOKHAN') FROM DUAL;
SELECT DBMS_METADATA.GET_GRANTED_DDL('ROLE_GRANT', 'GOKHAN') FROM DUAL;
SELECT DBMS_METADATA.GET_GRANTED_DDL('SYSTEM_GRANT', 'GOKHAN') FROM DUAL;
SELECT DBMS_METADATA.GET_GRANTED_DDL('OBJECT_GRANT', 'GOKHAN') FROM DUAL;I put 'GOKHAN' as sample user name.
Ref: http://download.oracle.com/docs/cd/B19306_01/appdev.102/b14258/d_metada.htm
Best Regards,
Gokhan Atil
If this question is answered, please mark appropriate posts as correct/helpful and the thread as closed. Thanks -
How to block Sql Plus sessions in Oracle 10g
Hi,
I want to block all sql plus sessions in oracle 10g, as we have a application and we need each and every one to use this application not the sql plus session.
Kindly update us as soon as possible. and also thanks in advanced.Understand the concept Karl, but a layered defense seldom works in the IP world. If I manage to get through the firewall, then how can you prevent me access, at IP level, at any other ISO stack layer? If you manage to get through, then your firewall policies could just be too weak :) at least you must have some kind of an IDS infrastructure in place..
what I mean is, you can have infinite number of threats.. and this will be part of your Risk Analysis. Determining all possible threats to the assets, what are being protected and their associated value, and predicting the rate of occurrence.... with all of these you could probably come up with contingency plans and incident response.. And most of all, you should not ignore the fact that people are creative, ingenious, and curious, and they'll prove this to you by testing your security implementations. So you'll have to periodically evaluate your security.. that's why there are audits.. Also, you must balance Security, Performance, Usability, and your Budget.
Yes, you can argue that if the entire firewall goes down (thus no IP defense), then something like DBV (or even denying IPs in sqlnet) can provide some defense. But is that not then a case of too little too late? It's better too little too late, than no protection at all... Imagine if there's no DBV, or if you have not implemented the concept of "Least Privilege"? or if the backups and exports are not encrypted? That would be more devastating.. that's the importance of database security options and features in providing "defense in depth"
I question just what purpose and how effective IP packet security is at higher layers. It can never substitute doing this instead at firewall level. Well, it's not all about network security. All facets must be considered and the inter-relationships should be understand. Like the core information security and access management, physical and personnel security, training them, etc... And all of these are equally important in providing a secure ecosystem
As for security that relies on the client to pass secure data (like executable name or o/s user name)... all this can easily be spoofed. Even if the app and Oracle driver are somehow digitally signed and these signatures can be verified on the server side, we only need to look at Vista to see how secure this really would be. Microsoft attempted to encrypt every single h/w and s/w layer from the physical DVD track to the pixel on the monitor.. and this was defeated. And this was done as o/s kernel level. It is less complex to hack at driver level and even trivial to do it at application level.Security is about risk management. Blocking SQL*Plus does not negate the risk of SQL from the wild being run on a production server. For example, the client is a VB client using ODBC. It is easy to create a proxy that accepts the ODBC connection from the VB client and proxy the OCI packets to the real Oracle server. Now you have a man-in-the-middle than can inspect every single SQL call made to Oracle, and inject any PL/SQL or SQL code it wants.
Security is far beyond writing a login trigger to deny SQL*Plus sessions and calling that a defense. >
Yes I agree with you. That's why there are independent organizations and regulating bodies that provides security best practices, to give us a headstart on comming up of strong security policies.
And one of my favorites is the one provided by IASE (sponsored by Defense Information Systems Agency) where there's lot of content regarding hardening and policies
http://iase.disa.mil/stigs/stig/index.html
http://iase.disa.mil/stigs/checklist/index.html
http://iase.disa.mil/stigs/SRR/index.html
- Karl Arao
http://karlarao.wordpress.com -
How to encrypt PL/SQL Code?
Hi All,
I want to share our application code to third party. I don't want them to see our application PL/SQL Code.
I have tried wrapper utility provided by Oracle, however there are un-wrappers available.
Please Let me know the options available to hide my PL/SQL code.
Thanks in advance
MadhuAs Billy says, the only proper way is through legal means.
The next best thing is the wrap utility. Yes, people have produced unwrappers out there, but most companies don't have their own software developers (otherwise they're less likely to be buying code from you), so won't be unwrapping it anytime soon.
I've seen some 3rd party tools that try and obfuscate the code by turning all your variables and suchlike into meaningless names, making it hard for people to follow the code even if they can read it, so if you find a good one of those, and then wrap it as well, you're making it hard for people.
DBMS_CRYPTO, as suggested by the first response on this thread, isn't an option as that is for encrypting or hashing etc. of data, not of PL/SQL code... at least not if you want Oracle to be able to execute the code still. -
SQL code not working inside Java
Below is my code from java. here, i'm trying to execute below sql code inside my java coding. its preety straight -
ResultSet rs = null;
PreparedStatement prepStmt = null;
String statement="select * from TIMINGTABLE WHERE COUNTRY = 'USA' AND RE_DATE >= TO_DATE('04/11/2012','MM/DD/YYYY') order by COUNTRY";
prepStmt = con.prepareStatement(statement);
rs = prepStmt.executeQuery();
dats it. but, its giving this error ---- SQL syntax error: the token "(" was not expected here
now, here, when i simply remove this part from the above sql line ----- AND RE_DATE >= TO_DATE('04/11/2012','MM/DD/YYYY') -----the code works perfectly.
RE_DATE is a date field in the sql table.
I even tried this option too - TO_DATE(RE_DATE, 'MM/DD/YYYY') >= TO_DATE('04/11/2012','MM/DD/YYYY')
which is giving same error
please help
-prodyut927428 wrote:
Below is my code from java. here, i'm trying to execute below sql code inside my java coding. its preety straight -
ResultSet rs = null;
PreparedStatement prepStmt = null;
String statement="select * from TIMINGTABLE WHERE COUNTRY = 'USA' AND RE_DATE >= TO_DATE('04/11/2012','MM/DD/YYYY') order by COUNTRY";
prepStmt = con.prepareStatement(statement);
rs = prepStmt.executeQuery();
dats it. but, its giving this error ---- SQL syntax error: the token "(" was not expected here
now, here, when i simply remove this part from the above sql line ----- AND RE_DATE >= TO_DATE('04/11/2012','MM/DD/YYYY') -----the code works perfectly.
RE_DATE is a date field in the sql table.
I even tried this option too - TO_DATE(RE_DATE, 'MM/DD/YYYY') >= TO_DATE('04/11/2012','MM/DD/YYYY')
which is giving same error
please help
-prodyutWhat kind of DB you use?
How do you connect to it?
(If you use ODBC for example, that won't work) -
OnClick for PL/SQL Code???
Hello,
I created a form and added a button. When that button is pressed, I want to execute PL/SQL code. In the list of JavaScript Event Handlers there is an event 'OnClick'. But I see nothing simular for the PL/SQL Button Event Handler.
Where do I have to put my code?
Thanks for your help.
Nancy.I don't know how it is on this special app but what I do know is You have to submit Your form because PL?SQL procedures run only on server
So You click on a button, link or whatever, PL/SQL procedure runs on the server and generates something to output again to client -
Timers stop executing all of a sudden!
Apologies for a lengthy question :-)
I have a dedicated form to which a timer is attached and it polls table every 30 sec to search for some data.
The form is opened on load of the main form and is present through out the app is open.
The timer suddenly stops executing at certain points in time, mostly when there are alerts displayed on the screen. It never expires thereafter, until i go and click on the notification form. Mysteriously as soon as I click on the notification form, the timer expires and it works properly.
three things I require help on....
1. Any explanation as in why the timer stops working and resumes as soon as I click on the form?
Note: There are no "when new block instance" triggers on the form. It has only new-form instance in which we create timer and when timer expired trigger.
2. Any solutions to the above problem. Can I move the focus to that window some how? Where should I use "Go_form"?
3. Any alternatives to this approach to query data periodically from the table?
Thanks and Regards
ShreeHi
I thing (and not sure of) the reason that timer halt on certain points in time is that Forms does not support multithreading, that means the whole program is running instructions one by one, and if the program reaches instruction that requires user intervention, any instructions following that will not execute and the program enters a loop waiting the user, once the user interacts, the program continue with next instruction. Timers are instructions inside the body of the program and any timer will not execute its triggers if any kind of user intervention is required.
Note : there is a different behavior when using CALL_FORM or OPEN_FORM, one continue executing the following code, and the other does not.
I do not know why this behavior exists in Forms, because Timer (by its name) should not stop executing its triggers no matter what happen in the form.
Maybe you are looking for
-
I have a HTML page with an IFrame. Inside the Iframe there is a table with a tree view <iframe> <table> <tr> <td> <treeview id="tv1"></treeview> </td> </tr> </table> </iframe> In UIA, i am able to traverse till the tree view but not able to see it. I
-
Z68MA-ED55 + UEFI + Windows 7 64-bit Installation
I've been trying for a few days now to figure out how to install Windows 7 64-bit on a single, fatty 5.5TB GPT partition in UEFI mode for this motherboard while utilizing RAID5 and Intel SRT caching. Here's the scenario: 1. I have (3) 3TB hard drives
-
IMP database for oracle 10G in window
Hi Experts, I try to imp database from exp dump file. I am new person. When i create a blank database by Oracle 10G ( create general purpose database during install oracle). Now I want to imp a database about 250G size. DO I need to create a each tab
-
After multiple restarts. reinstalls, resets, formatting, and everything that is listed on the Apple site concerning how to trouble shoot the iPod, I still have the following problems with my iPod: The music that is currently on my iPod was from a syn
-
How to view the report instance without going thru the infoviwe in webi
all, when you run a publication with a destination on infoview .. then as the end user who want to see the report i do have to go to the publication to see the report, is there a way to go directly to the report without passing thru the publication ?