Oracle + Open Source

two worlds inexorably colliding

Archive for category databasejournal

DBJ: Eight Ways to Hack Oracle

Nov 29

Posted by Sean Hull in databasejournal | No Comments

I just published the first half of a two part series over at Database Journal called Eight Ways to Hack Oracle.

The article is really an overview of vulnerabilities in the core database product, and how to protect against them.  Part one covers SQL Injection, a way of putting malformed entries into a web page in order to trick the application to run your query.  This can be very dangerous, and is a lot more common than you might think.  Next we cover default passwords, those are obvious right?  Except you’d be surprised how many there are, and how much of a pest they turn out to be.  Next we talk about brute force methods to get into the database, and how affective they are.  And lastly we speak about sneaking information out of the database, and how it can be done.

In part two of the series we cover listener vulnerabilities, privilege escalation which allows some of those underprivileged and default passworded accounts like scott/tiger to become extremely useful.  Lastly we hit on operating system and filesystem vulnerabilities, and how to protect against them.

DBJ: Oracle, MySQL + Postgres Compared Part II

Oct 27

Posted by Sean Hull in databasejournal, mysql, open-source, oracle, postgres | No Comments

In Part II in this series, I talk about how these three databases compare in some particularly crucial areas.

For instance how do the optimizers of these different database engines behave, and why does that matter?  What type of indexes are available, particularly with respect to typical applications.  I then move on to datatypes available and which are missing.  You’ll find some surprises here.

Lastly the holy grail of any modern relational database, I discuss transactional support. Relevant concepts include ACID compliance, read-only versus insert and update activity, and so on.

DBJ: Oracle, MySQL, Postgres Compared

Oct 15

Posted by Sean Hull in databasejournal, mysql, oracle, postgres | No Comments

If you’re interested in how these three databases measure up in terms of feature sets, take a look at part one in a two part series I wrote over at Database Journal.

I discuss stored procedures, views, materialized views or snapshots, triggers, and security. Stored procedures and functions are supported on all three databases, as are views and triggers. Although MySQL and Postgres aren’t there in terms of default snapshot support, there are ways to get that functionality in a somewhat roundabout way.

Security is always a tricky question, as all the bugs out there aren’t always publicized. It’s sort of a cat and mouse game. All three databases support user based authentication to login to the database, and various privilege levels to control access to objects and data. Oracle also supports FGA or fine grained access control for column level control.

That said I might tend to say that open-source products in general have better security, their source being an open book and all.