Re: SECURITY ALERT: How to avoid snooping by SQL MONITOR

rwessman_at_us.oracle.com writes

>SECURITY ALERT: How to avoid snooping by SQL MONITORv 1997 08:14
>I don't know about how to stop the tool. However, Oracle passwords are
>always encrypted (as of Oracle7 7.1.6).
 

>In addition, the Advanced Networking Option can encrypt all of the
 traffic
>between the client and the server.

TRUE. Oracle is not the problem. Neither is Delphi for that matter. Every C/S tool probably has such a monitoring utility available. Or should be not that hard to write. Its just that if you are passing some sensitive information to the server thru, say, a SQL statement, it leaves your development environment in pure text format and this tool can listen on it.
As I said earlier that its a great debugging/monitoring tool but could also
reveal information which is not meant to be seen by un-authorize users.

Example of such informatio is PASSWORD sent when enabling a ROLE, etc etc.

First I thought that Delphi parametrized query is the answer but no. ParamByName command in Delphi which is used to do run time binding of variables sends a string with quotes around it. So the command
SET ROLE x IDENTIFIED BY Y
appears to Oracle as
SET ROLE x IDENTIFIED BY 'Y' if Y is assigned using a parameter.

Regards,
Nasir (nnoor_at_cris.com) Received on Fri Nov 14 1997 - 00:00:00 CST