Protecting passwords in Sql*Plus


When connecting to SQL*Plus, username and password may be displayed in the list of active processes:

For example, if you connect:
$ sqlplus user/password@sid

then a list of processes will show username and password

$ ps -ef | grep sql 
jdoe    5652  4963  0 10:11 pts/0    00:00:00 sqlplus user/password@sid      
jdoe    5667  5632  0 10:13 pts/1    00:00:00 grep sql
How to protect user credentials when connecting to the database interactively or through a shell script?
(a) First, do not specify the password from the command line. Instead use:
$ sqlplus /nolog @connect.sql     -- and store user credentials in the connect.sql file

(b) If you need the user to enter his or hers credentials, you can use:
#!/bin/bash

echo "Enter username : "
read login
echo "Enter password: "
read -s password

sid=${ORACLE_SID}

sqlplus -s /nolog << EOF
connect ${login}/${password}@${sid}
... your sql code here...
quit
EOF
(c) alternatively, you can read the password from a protected file:
-- Create password file and change file permissions so that no one besides the owner has access
$ cat passowd > mypwdfile
$ chmod 700 mypwdfile

-- Create the script..

#!/bin/bash

user= user_name
pass=`cat mypwdfile`
sqlplus -s ${user}/${pass} << EOF

... perform sqlplus statements

EOF