Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Oracle plugs 101 security flaws"] [Next entry: "Oracle fixes 101 flaws"]

Using procedures to access data only

I came across a paper on the OraFAQ website titled "A better view" - by Gojko Adzic

"Accessing the database from the outside world basically comes down to two options - direct querying or executing stored procedures. Procedural access is often chosen for the wrong reasons - making maintenance significantly harder."

This is quite an interesting look at development trends using views to access data rather than going to base tables rather than using procedures for the same. There are some strong comments in opposition and for the author. A good paper though highlighting the issue of data access in general and therefore the security of the data. Using views or procedures or accessing data directly is often a subject for developers of an application. Feureustein often talks about creating access layers in his books to reduce code and SQL reuse. I think its an interesting subject, always causes debate but has some strong aspects for security. I agree in not allowing access to base tables to protect the data but you also have to be careful around dual access paths to the data created by not blocking direct access properly, creating views and procedures and often allowing update and insert paths that actually create different data due to procedural impact. Be careful.