Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Tracing SQL Statements Behind a Form

Re: Tracing SQL Statements Behind a Form

From: Pete Finnigan <plsql_at_petefinnigan.com>
Date: Tue, 13 Jul 2004 20:05:36 +0100
Message-ID: <SUYo$mAAKD9ARxIi@peterfinnigan.demon.co.uk> 





Hi Ed,



I have a paper on my site that has many many ways to setting trace for
your own user, another user and at differing levels, you can find it at
http://www.petefinnigan.com/ramblings/how_to_set_trace.htm - Also you
might want to look at a paper i wrote called "Detecting SQL Injection in
Oracle" - it covers a few ways that can be used to trap the SQl sent to
the database from an application or person. Incluing sniffing the
network, sql*net trace, from the SGA, trace, etc. You can find it at
http://www.petefinnigan.com/orasec.htm



Also if the application uses OCI as the lowest client level (not sure if
forms does - i suspect it might use UPI) then there is a tool called
OCISPY that can trap all client OCI calls including SQL. A link to it is
on my tools page http://www.petefinnigan.com/tools.htm



hth



kind regards



Pete

-- 
Pete Finnigan
email:pete_at_petefinnigan.com
Web site: http://www.petefinnigan.com - Oracle security audit specialists
Book:Oracle security step-by-step Guide - see http://store.sans.org for details.


Received on Tue Jul 13 2004 - 14:05:36 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US