spawning sqlplus from a pro*c app; security
Date: 23 Jan 1995 13:45:49 -0500
Message-ID: <3g0tgtINN723_at_duncan.cs.utk.edu>
Hi,
I'm developing a client/server app using Oracle (7.0.16) on an IBM RS/6000 running AIX. A desired feature of this app is to allow the user to create a report, and the simplest way I've found to do this is to use a system call to sqlplus, something like:
system("sqlplus uid/password command-file");
The unfortunate part of this method is that someone logged onto the system while the above system call is running can use the "ps -ef" command, and he/she will get the entire string, notably the uid/password.
Is there some way to pass the password to sqlplus from inside an app and not have this vulnerability? Thanks for any advice, pointers to a FAQ, etc., that you'd care to share.
mark
hamby_at_cs.utk.edu
Received on Mon Jan 23 1995 - 19:45:49 CET