Re: Adding some random characters to Oracle password

In article <4186164e$0$32443$afc38c87_at_news.optusnet.com.au>, "Howard J. Rogers" <hjr_at_dizwell.com> wrote:

>Regarding the original paper, that's not an issue, since both SQL*Plus and
>iSQL*Plus instrument properly. But ODBC applications certainly don't.

Actually, I believe this is also OS-dependent and/or version dependent, since my sqlplusw (version 9.2.0.1.0) reports itself incorrectly as whatever the executable name is. What therefore keeps someone from renaming their sqlplusw executable to match the application executable? Nothing as far as I can tell.

So my next question is (you were good at raising many of the questions that occurred to me as I was reading... including the flaw in the first EMP_SEC), what other things can I check (or do) that'll make it harder to spoof?

One other twist... our client app makes temporary and multiple connections to the database. If it's going to make a bunch of queries at once, the session will be opened at the beginning and closed at the end, but you can expect that there will be plenty of logging in and out as the user does his thing. There is a limit, therefore, as to what can be done in a logon trigger without incurring a noticeable performance penalty to those queries. This might not be the best way to handle things... we could open sessions at the start of a form, but we just didn't want hundreds of sessions sitting idle all the day long. Received on Mon Nov 01 2004 - 10:13:43 CST