Skip to Main Content
  • Questions

  • oracle 12g directory object feature. Is there an equivalent to utl_file_dir='*'?

Breadcrumb

Question and Answer

Chris Saxon

Thanks for the question, Abe.

Asked: September 10, 2018 - 9:45 pm UTC

Last updated: September 12, 2018 - 10:22 am UTC

Version: 12g

Viewed 1000+ times

You Asked

Ok so I am trying to get some things with oracle to work. I am TSQL guy, and new to oracle. The guy who used to manage the Oracle side of things retired. One of our products is pretty old, but still has a large customer base. Some of those customers have expressed wanting to upgrade to 12g.

In testing I found a few issues. Such as password case sensitivity, but was able to find a work around for that. By making some changes in SQL.net file. And than adding the old param. Anyways I think I got them all figured out but this one.

I can't seem to figure out how to get 12g's directory object feature to work like the old param utl_file_dir='*'. What am I missing here? Is there a guide for that? Or do I have to tell the developers of the application they need to make code changes for the new oracle feature. If so... I think we just might end up not supporting the newer version of oracle for a while. No telling how long that will be.

Thanks in advance for any help.

and Chris said...

Setting utl_file_dir to * is a massive security loophole. It allows you to do nasty stuff like overwrite your data files. As Connor explains here:

https://connor-mcdonald.com/2018/06/27/utl_file_dir-and-18c/

Directory objects are a huge improvement because they only allow access to specific locations.

Even if you're not upgrading, you should still change your utl_file code to use directory objects. This stops people with access doing nasty stuff to your database server.

Rating

  (2 ratings)

Is this answer out of date? If it is, please let us know via a Comment

Comments

directory object is not a new feature

Anton, September 11, 2018 - 12:44 pm UTC

I wouldn't call a feature which is around since Oracle 9, more than 15 years ago, a new feature.
Chris Saxon
September 11, 2018 - 12:52 pm UTC

Yep, it's been the "right" way to access the database's file system for ages now.

Abe Mitchell, September 11, 2018 - 5:21 pm UTC

Thanks for the reply. But I don't think I ever called it a new feature. I simply said "12g's directory object feature" as I really didn't know when it was added.

And this product that is being supported is much older than 9g. Some parts of it are still in VB6. But people still use it. And seeing how no ones tried to kill a system yet. Doesn't seem to be such a big issue. As security is mainly enforced by access to the system to begin with. But oh well I got the answer I was looking for. So thanks for that. I will really it to the developers in charge of maintaining it.
Chris Saxon
September 12, 2018 - 10:22 am UTC

And seeing how no ones tried to kill a system yet.

I'm sure someone's said that at most companies that went on to suffer a data breach or malicious attack.

As security is mainly enforced by access to the system to begin with

The more layers you have in your security the better. You never know when someone will find a way to bypass your access control.
more

Connor and Chris don't just spend all day on AskTOM. You can also catch regular content via Connor's blog and Chris's blog. Or if video is more your thing, check out Connor's latest video and Chris's latest video from their Youtube channels. And of course, keep up to date with AskTOM via the official twitter account.

More to Explore

PL/SQL demos

Check out more PL/SQL tutorials on our LiveSQL tool.

PL/SQL docs

PL/SQL reference manual from the Oracle documentation library