jon * wrote:
> > Then how to handle security issues regarding the query and result set, beacuse
> > they are embedded in the java code?
>
> create views?
>
> Also, I really have not had to deal with security issues within Oracle
> directly because we know who has access to the database and we are not
> worried about known users screwing things up. What type of application are
> you developing? Are you expecting to give people direct write access that
> you don't know (ie: trust)?
>
> If you are doing an e-commerce system, then Oracle should be off another
> ethernet card on your unix box (and even behind a firewall if you are really
> paranoid) so that there is no way to directly route from the machine running
> the servlet engine (and jdbc) to the machine running Oracle.
>
> i hope that helps,
>
> -jon
>
SQL code in stored procedures is no more "secure" than SQL in the Java source. It
is trivially easy to dump out the stored procedure source if you know the database
username/password (which you need to give to your JDBC driver anyway), especially
if you use a tool like SQL Navigator from Techno Solutions, which has nice
development support for Oracle stored procedures.
My experience with stored procedures is that they help quite a bit (performance
wise) if you do lots of database interactions inside the stored procedure (such as
updating a number of related tables). For single queries or updates, there might
be some miniscule improvements because the SQL is already parsed, but the overhead
of passing function parameters negates whatever benefit you would get from the
stored procedures.
Craig McClanahan
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
