Home -> Mailing Lists -> Oracle-L -> RE: Security Question - how do you deal with sensitive information hardcoded in SQL statements

RE: Security Question - how do you deal with sensitive information hardcoded in SQL statements

From: Kenneth Naim <kennethnaim_at_gmail.com>
Date: Mon, 2 May 2011 17:24:02 -0400
Message-ID: <010e01cc090f$42a8f430$c7fadc90$_at_gmail.com> 





I've never worked on sql server. If I get a chance I'll go through my old
emails and find the exact system/db version/compiler where it happened.

 



Ken

 



From: Stephane Faroult [mailto:sfaroult_at_roughsea.com] 
Sent: Monday, May 02, 2011 5:27 PM


To: Freek.DHooge_at_uptime.be


Cc: Kenneth Naim; oratune_at_yahoo.com; jkstill_at_gmail.com; 'Oracle-L Freelists'
Subject: Re: Security Question - how do you deal with sensitive information
hardcoded in SQL statements

 



Ken,



    I think that you are confusing with SQL Server. Oracle isn't that smart
;-).



Stephane Faroult


RoughSea Ltd <http://www.roughsea.com> 


Konagora <http://www.konagora.com> 


RoughSea Channel on Youtube <http://www.youtube.com/user/roughsealtd> 




On 05/02/2011 10:05 PM, D'Hooge Freek wrote: 



Kenneth,
 


Are you sure about this?


I thought I had seen a query when investigating a different problem, which
had both "normal" bind variablen and system generated ones.
I can't directly find the example again, but I will see if I can reproduce
it.
 
 


Regards,
 
 


Freek D'Hooge


Uptime


Oracle Database Administrator


email: freek.dhooge_at_uptime.be


tel +32(0)3 451 23 82


http://www.uptime.be


disclaimer: www.uptime.be/disclaimer


---



From: Kenneth Naim [mailto:kennethnaim_at_gmail.com] 
Sent: maandag 2 mei 2011 21:35


To: oratune_at_yahoo.com; D'Hooge Freek; jkstill_at_gmail.com; 'Oracle-L
Freelists'


Subject: RE: Security Question - how do you deal with sensitive information
hardcoded in SQL statements
 


Another caveat with cursor sharing is if the application uses bind variables
and literals in the same statement, the literals won't be replaced as the
optimizer assumes the developer that choose to use bind variables was smart
enough to use them everywhere they should be used.
 


Ken
 


--



http://www.freelists.org/webpage/oracle-l
 
 
 







Checked by AVG - www.avg.com


Version: 10.0.1325 / Virus Database: 1500/3610 - Release Date: 05/02/11







Checked by AVG - www.avg.com


Version: 10.0.1325 / Virus Database: 1500/3610 - Release Date: 05/02/11





--



http://www.freelists.org/webpage/oracle-l
Received on Mon May 02 2011 - 16:24:02 CDT












Original text of this message