Re: how to link Apache and Oracle?

gmuldoon <gmuldoon_nospam_at_scu.edu.au> wrote

> If you decide you want to segregate your web applications from your
> database (there are arguments for and against that approach, the biggest
> one for being security - firewall the database machine from the 'net)
> and want a simpler path than Java, then I'd suggest PHP rather than Perl
> or any of the proprietary non-Oracle (ColdFusion, etc.) options.

I have a problem with that statement on security. It is a fallacy to think with the application in the DMZ and the database behind a firewall, it is secure.

Take an application. Is it safer to run that on a web server in the DMZ? Or in Oracle? Which one is easier to compromise? Who offers the best protection and security?

If I hack into your web server, what then? I not only compromise your web server, but I have access to your applications (Perl, PHP, JSP etc). I can place back doors into your application that will seriously compromise your business - with the likelihood that you will not discovered that for some time.

If those applications reside in Oracle, what is compromised? Only the web server. I cannot change application code. Sure, I can run the applications from the web server... just as any other web browser user will run those same applications via that web server.

I could try forging credentials on the web server to fool the application when running it.. but I cannot change application code, cannot compromise the application that way. And clever applications will not be easily fooled by forged credentials from the web server.

So instead I simply change your home page saying something like its been hacked and send out greetz to fellow dudez. Big deal.

I suggest that you think again about just how safe it is to use Perl, PHP, JSP and the like on a web server as the application front-end into a "secure Oracle" system.

--
Billy