Re: ? Passing userid/password

In <C9FMHo.68s_at_uk.ac.brookes> p0070621_at_oxford-brookes.ac.uk (Tommy Wareing) writes:
>Paul Beardsell (paul_at_hoxton.demon.co.uk) wrote:
 

>> And then in the C program run from the form using #HOST get the login
>> by using getenv("ORALOGIN").
 

>Under our version of Unix (SunOS version something), using there is
>an option on ps (e to be precise) to display all the enviroment variables
>available to a process.

On my systems (HP/UX and SCO Unix), ps -ef will show the command line that was used to start the process. That means that if I type sqlplus ian/ians_password, anyone with access to ps can find out how to get into my Oracle account. But on the other hand, how many users do you allow to use the ps command?

>***HAVING THE PASSWORD AS AN ENVIRONMENT VARIABLE IS NOT SAFE***
 
>This may not be the case under other OS's, but do you really want to
>risk this?

The platform on which I use global variables to move the password around is a PC client connecting to a database on a SCO Unix server. In this situation, I believe it to be perfectly safe.

>Either use an OPS$ username, or make it a user exit (which will give
>you the most flexability anyway).

On my DOS machines, I can specify USERNAME=A_USER in CONFIG.ORA. That machine can then login to Oracle as OPS$A_USER without giving a password. In my circumstances, that is unacceptable and I will continue to use the global variable technique.

I don't agree that user exits give more flexibility. I've always tried to avoid them because of maintenance difficulties. Also a user exit wont let me run sqlload from inside a form. For that reason, OPS$ is my choice for applications that will run directly on one of our Unix boxes

Regards

Ian

-- 
--
Ian Dixon                       Email : idixon_at_infocom.co.uk
Reading, England