RE: Security Question - how do you deal with sensitive information hardcoded in SQL statements
Date: Mon, 2 May 2011 17:15:19 -0400
Message-ID: <010a01cc090e$0ac470e0$204d52a0$_at_gmail.com>
I've dealt with many applications that use bind variable improperly mostly on 10g and have seen this frequently. I haven't tested it on other versions and it possible that it depends on the client doing the binding.
-----Original Message-----
From: D'Hooge Freek [mailto:Freek.DHooge_at_uptime.be]
Sent: Monday, May 02, 2011 4:06 PM
To: Kenneth Naim; oratune_at_yahoo.com; jkstill_at_gmail.com; 'Oracle-L Freelists'
Subject: RE: Security Question - how do you deal with sensitive information
hardcoded in SQL statements
Kenneth,
Are you sure about this?
I thought I had seen a query when investigating a different problem, which
had both "normal" bind variablen and system generated ones.
I can't directly find the example again, but I will see if I can reproduce
it.
Regards,
Freek D'Hooge
Uptime
Oracle Database Administrator
email: freek.dhooge_at_uptime.be
tel +32(0)3 451 23 82
http://www.uptime.be
disclaimer: www.uptime.be/disclaimer
---
From: Kenneth Naim [mailto:kennethnaim_at_gmail.com]
Sent: maandag 2 mei 2011 21:35
To: oratune_at_yahoo.com; D'Hooge Freek; jkstill_at_gmail.com; 'Oracle-L
Freelists'
Subject: RE: Security Question - how do you deal with sensitive information
hardcoded in SQL statements
Another caveat with cursor sharing is if the application uses bind variables and literals in the same statement, the literals won't be replaced as the optimizer assumes the developer that choose to use bind variables was smart enough to use them everywhere they should be used.
Ken
Checked by AVG - www.avg.com
Version: 10.0.1325 / Virus Database: 1500/3610 - Release Date: 05/02/11
Checked by AVG - www.avg.com
Version: 10.0.1325 / Virus Database: 1500/3610 - Release Date: 05/02/11
--
http://www.freelists.org/webpage/oracle-l
Received on Mon May 02 2011 - 16:15:19 CDT