Re: SQLPLUS Question
Date: Sat, 16 Jan 2010 20:32:42 +0000 (UTC)
On Sat, 16 Jan 2010 20:28:55 +0100, Gerard H. Pille wrote:
> I start sqlplus from a ksh script as a job, send queries to it and read
> the answers. ksh, which is also a full programming language, takes the
> decisions about how to continue.
That is, of course, a dangerous baloney wasting system resources. Neither Korn shell nor Bash are the full fledged programming languages and adding sqlplus in the mix guarantees security breaches. When I encounter a site like that, the first thing I do is the following:
egrep -i "sqlplus|connect" *.sh
The result usually contains username and password combinations for the most important schemas, the ones with the real company data. Sometimes, the developers have a cunning plan and do something like this:
and further down the script one can find
sqlplus $CONNECTSTRING << EOF
Well, guess what? I can get the content of that because I can open and inspect the script. Even simpler, "ps -el|grep sqlplus>/tmp/owt.lis" will reveal all the passwords. Just let me access the database server for 10 minutes and I'll collect your most important passwords. In addition to that, activating programs is a rather expensive operations. Shell does that at every turn: sqlplus, sed, ls, grep and awk are separate programs which have to be found by shell, access rights checked, all the dynamic libraries checked and loaded, which takes time and resources.
The real solution for scripting is using a real scripting language, like Perl, PHP or Python. Concoctions with shell and sqlplus are cumbersome, hard to read and insecure.Received on Sat Jan 16 2010 - 14:32:42 CST