CGI/Perl Guide | Learning Center | Forums | Advertise | Login
Site Search: in

  Main Index MAIN
INDEX
Search Posts SEARCH
POSTS
Who's Online WHO'S
ONLINE
Log in LOG
IN

Home: General Discussions: General Questions:
perl connect oracle db without credentials

 



btran007
New User

Jun 16, 2014, 11:48 AM

Post #1 of 5 (31720 views)
perl connect oracle db without credentials Can't Post

Hello,

I am looking for suggestions. I want a way to connect to Oracle database without hard coding username/password. I have tried Oracle Wallet and it's not working. Does anyone have an alternate solution other than storing it in an external file?

Thanks


Zhris
Enthusiast

Jun 30, 2014, 11:14 PM

Post #2 of 5 (16800 views)
Re: [btran007] perl connect oracle db without credentials [In reply to] Can't Post

Hi,

Bit of a late answer but another option could be to store the username and password in environmental variables. I personally store database information in an external configuration file and store the path to this configuration file in an environmental variable (although in reality its a bit more in depth than how I've described here). In a web environment, this makes it easy for me to control which configuration file a particular site should use when multiple sites use the same scripts / modules.

Chris


(This post was edited by Zhris on Jun 30, 2014, 11:42 PM)


btran007
New User

Jul 1, 2014, 4:33 AM

Post #3 of 5 (16614 views)
Re: [Zhris] perl connect oracle db without credentials [In reply to] Can't Post

Hi Chris,

Is the configuration file stored outside of the web server? If someone bypasses the web page via command injection, for example, can they access the configuration file and steal the credentials? Our main goal is to have no access to credentials stored anywhere.

Thanks
btran


Zhris
Enthusiast

Jul 1, 2014, 5:00 AM

Post #4 of 5 (16598 views)
Re: [btran007] perl connect oracle db without credentials [In reply to] Can't Post

Hi,

It is stored out of what I would describe as "web root". In recent projects I design the file system into two parent directories, private and public, public being where the domain points at.

I understand your concern is injection attacks, specifically command based. My advice would be to perform vigourous validation of all user supplied parameters, especially those that are used in system calls. Prevent an attack in the first place. As you are probably already aware, if there is a vulnerability in this area, you have plenty of other things to worry about than just your database data, although your database data is likely the most critical. As far as I can invisage, no matter what you do, an attacker would be able to work their way to your credentials one way or another, even if stored "outside of the web server".

To be OTT, perhaps you could also not make it obvious what and where the database credentials are, encrypt them, store them amoungst other data, don't directly refer to them under the database namespace, don't directly access them when connecting etc. Make it as difficult as desired for the attacker to reach, you could even include traps that notify you of suspicious behaviour and give you time to act.

But if an attacker has the ability to run their own / modify code, then they could easily connect to the database in the manner you do / dump parts of the database they require.

Regards,

Chris


(This post was edited by Zhris on Jul 1, 2014, 5:18 AM)


btran007
New User

Jul 1, 2014, 5:18 AM

Post #5 of 5 (16580 views)
Re: [Zhris] perl connect oracle db without credentials [In reply to] Can't Post

Hi Chris,

I agreed it's not preventable but we want to make it as hard as possible for attackers by hardening our code and web server. Thanks for all your suggestions.

btran

 
 


Search for (options) Powered by Gossamer Forum v.1.2.0

Web Applications & Managed Hosting Powered by Gossamer Threads
Visit our Mailing List Archives