Re: Security...Explanation....with example...anybody can try...pasword and hexadecimal password

Re: Security...Explanation....with example...anybody can try...pasword and hexadecimal password

 

  

Thanks but your explanation goes nowhere ahead. These
days users/developers know about connect strings from
tnsnames.ora or odbc connections. Also your process is
so cumbersome that each pc has to have the runtime for
d2k and so when you change connect strings i think its
mandatory to change all forms and recompile them.

I think you missed the original query - can any other
tool( like sql plus or toad ) to access database be
blocked by using any security feature and
unfortunately u haven't explained How do you block Sql
plus with that form code ? Basically that form code is
no good to block sql plus from connecting to the
database.

also neither have you explained difference between
alphanumeric and hexadecimal passwords for oracle ? I
know about encryption or hashing processes but I was
interested in difference between hexadecimal password
and alphanumeric password. for starters even the
definitions of alphanumeric passwords and hexadecimal
passwords would do....

Let me know if i am missing anything in this, but I
dont think so....

thanks
--- novice_dba <[Email Address Removed] wrote:
> hi,
> for executing any form executable i require
> orale-user
> name/password and or connect string.. do you agree
> this..
> and thats why you feel how am doing it without
> it..and hence you
> mean... its not doubtful it must be next to
> impossible..agreed
> 1000%...
> do follwing exercise ...
> open up yr d2k, module 1is highlighted...in new
> module.. u must
> hv a canvas, block, a field which must be displayed
> on the
> canvas...with out which a form can not be run...
> Now prepare an form executable..run the form....it
> will ask a
> username/password and connect string...you are 1000%
> (mean > thousand pct right) i must pass
username/password
> and connect
> string to connect oracle...
> Now, again open the form ...at form level select
> on-logon trigger
> there write the following code...
DECLARE
> un VARCHAR2(80):='MAHESH'; ----> oracle user name
> pw VARCHAR2(80) :='MAHESH'; ---> password
> cn VARCHAR2(80) :='TESTDB'; ----> connect
> string...
> BEGIN
> LOGON(un,pw||'@'||cn); ---> built in function
> END;
> again compile yr form..save it...come out of yr
> d2k...run the
> form executable...form will get executed...how
> come.....it's
> because of on-logon....
> do you know what connect string i passed..no...and
> the developer
> knows..and oracle hv understood mahaesh identifed by
> mahesh is
> logged in...now the user will be able to execute the
> application..
> which will be naturally sql/plsql blocks..
> am i not using sql*plus without informing the user
> actual oracle
> username and password...yes...agreed ofcourse that i
> need d2k run
> time on machine being used...there while installing
> i will not
> select sql*plus from net*8...and say even if the
> sql*plus is
> there will he be able to connect to the user name
> password..which
> is given to him...no..as thats the data from one of
> the table and
> not actual oracle username/password...
> Now..about..hexadecimal password...
> as the password is a column in one of my
> table...hence any priv
> user can change...it..by accessing the table....but
> they can be
> restricted if we encrypt...it...and to do this a
> package is
> provided by oracle...that u will hv to use...there
> we require
> some work to be done...at our end...
> a nice explanation is provided by tom-kyte of oracle
> on this at
> url...as below...
> Quote
> You can read more about it at
http://technet.oracle.com/doc/oracle8i_816/server.816/a76936/dbms_
> obf.htm#6518
> Now, in 8.1.5 and before -- what could you do? Well,
> most
> passwords are not stored encrypted, but rather they
> are stord
> HASHED or DIGESTED. For example, in Oracle, the
> password is not
> encrypted (that would imply there is a decrypt but
> there is not).
> Instead, to validate a username/password we take
> them, plus some
> magic "salt" and hash it. This results in a fixed
> length string
> of some bytes of data. We compare that to the stored
> hash and if
> they match -- you are in. If not -- you are not.
> So, if I was to write my own password check
> function, I would
> simply glue the USERNAME together with the supplied
> PASSWORD. I
> would call dbms_utility.get_hash_value to generate
> some hashes.
> See
http://technet.oracle.com/doc/oracle8i_816/server.816/a76936/dbms_
> ut2.htm#1002139for info in the hashing package.

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com
Oracle LazyDBA home page