Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Mailing Lists -> Oracle-L -> RE: Oracle security within VB Apps

RE: Oracle security within VB Apps

From: Paul van Dijken <>
Date: Tue, 3 Oct 2000 09:40:25 +0200
Message-Id: <>

We use Oracle roles to implement security. An user is granted connect privilege, a role with just select privileges and one with update privileges. Only the select role is granted default. The update role comes with a password.
On logging into the database, the program calls an Oracle stored procedure. This procedure selects the username and an encrypted password from a table with user-info. The stored procedure decodes the password and tries to grant the update-role to the user.
The user never sees a decoded password (even when he tries to view ODBC tracing)
The developers only see the called procedure, but not the contents. The DBA only sees the encryted passwords. Only the security department and the DBA can see the encryption algorithm. You can use any encryption technique you want. When users try to login outside of the application, they only have select privileges. (You can suppress this too). For more information, see the manuals on roles.


-----Original Message-----
From: Tracy Rahmlow [] Sent: 03 October 2000 00:10
To: Multiple recipients of list ORACLE-L Subject: Oracle security within VB Apps

We currently have several vb apps that connect to oracle through a called routine. This routine has the password hardcoded to allow the connection. Our
front-line users do not have access to the password to our production region,
but obviously our vb developers can figure it out. How do you handle this situation? I find it hard to believe that there is not a way to encrypt the password so that the developer can not view it. If there is a 3rd party tool,
how do you handle preventing a developer from from the application in a shell
vb app to display the password? I appreciate any info that is provided. Note:
I am a dba and have never developed a vb app, therefore there may be an obvious
answer that I am unaware of.


Please see the official ORACLE-L FAQ:

Author: Tracy Rahmlow

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
To REMOVE yourself from this mailing list, send an E-Mail message to: (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). Received on Tue Oct 03 2000 - 02:40:25 CDT

Original text of this message