Databases Reference
In-Depth Information
Inside your C# code you can reference UDB constructs by importing
the IBM.Data.DB2 DLL, which gives you access to the DB2 .NET pro-
vider. Because these are CLR routines, this will only work on the Windows
operating system.
DB2 UDB 8.2 for LUW is very new—it was released in the second half
of 2004. There are no vulnerabilities associated with this advanced feature
at the time of writing this chapter. And yet, this advanced feature has the
same level of complexity as the features shown previously, and you should
tread carefully or prefer using SQL/PL.
7.2
Don't make the database a Web server and
don't promote stored procedure gateways
In Chapter 5
you already learned that separation between the database
server and the Web/application server is a healthy thing. This is an impor-
tant guideline and is worth stressing here again. Unfortunately, database
vendors try to make the database an architecture for any development and
deployment pattern and in doing so include servers that are really not the
focus of database operations and that introduce unnecessary vulnerabilities.
The prime example for this is the embedding of the Oracle HTTP
Server with the Oracle 9i database. The Oracle HTTP Server is a branded
Apache Web server that is installed on your behalf as part of the database. It
is located under
$ORACLE_HOME/Apache
. This added server can create
numerous problems—some due to simple vulnerabilities in the Apache
server and some that occur when the Web server is allowed broad access to
the database. In either case, the recommendation is to not use these fea-
tures; it is better to have a full-blown application server make “traditional”
calls to the database and have security built into both the application layer
and the database.
The first set of issues involves known (and unknown) Apache server vul-
nerabilities. As an example, Oracle Security Alert #45 discusses a whole set
of vulnerabilities present in the Oracle HTTP Server released with the Ora-
cle database releases 8.1.7.x, 9.0.1.x, and 9.2.x.
The more complex issue involves the Oracle HTTP Server allowing you
(and actually encouraging you) to expose stored procedures to be executed
through HTTP requests coming in through the Web server. In effect, the
Web server becomes a gateway for database-stored procedures. This is gen-
erally not a good thing. Most stored procedures are built as part of a data-
base application and do not have the right level of validation and testing to
Search WWH ::
Custom Search