Re: SQLPLUS Question
From: Jeremy <jeremy0505_at_gmail.com>
Date: Sat, 16 Jan 2010 20:37:15 -0000
Message-ID: <MPG.25bc33d5d2a5c6f99897cd_at_News.Individual.NET>
In article <hit7pa$phc$5_at_solani.org>, gogala.mladen_at_gmail.com says...>
> On Sat, 16 Jan 2010 20:28:55 +0100, Gerard H. Pille wrote:
>
>
> > I start sqlplus from a ksh script as a job, send queries to it and read
> > the answers. ksh, which is also a full programming language, takes the
> > decisions about how to continue.
>
> That is, of course, a dangerous baloney wasting system resources. Neither
> Korn shell nor Bash are the full fledged programming languages and adding
> sqlplus in the mix guarantees security breaches. When I encounter a site
> like that, the first thing I do is the following:
>
> egrep -i "sqlplus|connect" *.sh
>
> The result usually contains username and password combinations for the
> most important schemas, the ones with the real company data. Sometimes,
> the developers have a cunning plan and do something like this:
>
> export CONNECTSTRING="scott/tiger_at_local"
>
> and further down the script one can find
>
> sqlplus $CONNECTSTRING << EOF
>
> Well, guess what? I can get the content of that because I can open and
> inspect the script. Even simpler, "ps -el|grep sqlplus>/tmp/owt.lis" will
> reveal all the passwords. Just let me access the database server for 10
> minutes and I'll collect your most important passwords. In addition to
> that, activating programs is a rather expensive operations. Shell does
> that at every turn: sqlplus, sed, ls, grep and awk are separate programs
> which have to be found by shell, access rights checked, all the dynamic
> libraries checked and loaded, which takes time and resources.
>
> The real solution for scripting is using a real scripting language, like
> Perl, PHP or Python. Concoctions with shell and sqlplus are cumbersome,
> hard to read and insecure.
Date: Sat, 16 Jan 2010 20:37:15 -0000
Message-ID: <MPG.25bc33d5d2a5c6f99897cd_at_News.Individual.NET>
In article <hit7pa$phc$5_at_solani.org>, gogala.mladen_at_gmail.com says...>
> On Sat, 16 Jan 2010 20:28:55 +0100, Gerard H. Pille wrote:
>
>
> > I start sqlplus from a ksh script as a job, send queries to it and read
> > the answers. ksh, which is also a full programming language, takes the
> > decisions about how to continue.
>
> That is, of course, a dangerous baloney wasting system resources. Neither
> Korn shell nor Bash are the full fledged programming languages and adding
> sqlplus in the mix guarantees security breaches. When I encounter a site
> like that, the first thing I do is the following:
>
> egrep -i "sqlplus|connect" *.sh
>
> The result usually contains username and password combinations for the
> most important schemas, the ones with the real company data. Sometimes,
> the developers have a cunning plan and do something like this:
>
> export CONNECTSTRING="scott/tiger_at_local"
>
> and further down the script one can find
>
> sqlplus $CONNECTSTRING << EOF
>
> Well, guess what? I can get the content of that because I can open and
> inspect the script. Even simpler, "ps -el|grep sqlplus>/tmp/owt.lis" will
> reveal all the passwords. Just let me access the database server for 10
> minutes and I'll collect your most important passwords. In addition to
> that, activating programs is a rather expensive operations. Shell does
> that at every turn: sqlplus, sed, ls, grep and awk are separate programs
> which have to be found by shell, access rights checked, all the dynamic
> libraries checked and loaded, which takes time and resources.
>
> The real solution for scripting is using a real scripting language, like
> Perl, PHP or Python. Concoctions with shell and sqlplus are cumbersome,
> hard to read and insecure.
All of the above may well be true, however if you are just trying to automate a simple task which involves running a specific set (depending on some conditions in the database for example) of .sql files on demand by the DBA then this may well be the simplest way of achieving the objective.
-- jeremyReceived on Sat Jan 16 2010 - 14:37:15 CST