Call: +44 (0)7759 277220 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Information Week on the mod_plsql 0-day bug"] [Next entry: "exploit code released for the DB18 AUTH_ALTER_SESSION bug - how to make any user a DBA"]

How to connect to the database using Perl - with two way communication

I was playing with Perl and Oracle a couple of weeks ago and was pulling my hair out trying to build dynamic SQL (I know, I know.... SQL Injection is an issue) through SQL*Plus with Perl. i wanted to create dynamic strings, pass them to a standard Perl function thatw ould accept the SQL, add in SQL*plus commands like, "set pages 0" and then run the SQL and collect the results into a hash for dealing with. I played for ever and could not get it working and as is usual with these things the answer to the problem came to me in the middle of the night. I was using a here document and passing it a back tick command - i.e. the shell was executing it. I realised that its DOS!!! or rather the modern (if you can call it modern) equivelant. DOS has no idea about "here documents". I gave up trying to get DOS to work as its not in the same league as Linux when it comes to simple scripts like this, so i did it on Linux instead.

Out of interest I did a quick search on google and found an excellent page on Yong Huang's site titled "Oracle and Perl". This is a superb page that explains the ins and outs of piping to and from SQL*plus using two way communication. It also gives a simple Perl DBI example and also a simple one way pipe first. The two way communication example is exactly what I needed for DOS. I didn't try it as I had done what I needed on Linux anyway but this is a great page and well worth a visit. As usual Yong provides great information.