Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "A bad way to migrate a database or a good way to retrieve crashed data"] [Next entry: "Some interesting comments about CPU - Jan 2005 on c.d.o.s"]

Interesting thread on Oracle-l about ftp'ing data into the database

I just saw an interesting thread on Oracle-l titled "Goofy Late Night Idea?" where the poster discusses the possibility of using ftp to connect to the database and to insert data directly into a table using ftp. So a user could add a file into the database without an Oracle client simply using a command line and normal ftp commands. Nice idea. As others point out they had seen demo's of this with XMLDB. Ethan then comes back with some pseudo code of what he intended and then Christian supplies a demo - scroll down a bit. As I said quite an interesting idea - the thread is worth reading.

The security aspects of an idea like this need to be considered as well though. Allowing ftp access directly from the net or even from the Intranet to a production database is a security risk. The use of ftp is usually controlled for security reasons on normal servers let alone directly into the database where your valuable production data resides. Whilst this is a great idea to stretch the technology there are security risks to be considered. If files need to be uploaded to an Oracle database it would be more prudent to create an interface to do this task where the user commands and also the files to be uploaded can be more finely controlled.