Hi,
By reporting the process status with ps, any Unix user will see the command line arguments
#ps -ef
UID PID PPID C STIME TTY TIME CMD
lsc 13837 13825 0 May 11 pts/17 0:01 -ksh
oracle 4698 6294 0 12:00:40 ? 0:00 sqlplus -s system/manager
appluser 4229 4062 0 12:00:03 ? 0:00 sqlldr scott/tiger
So this is a security issue.
1.How the password should not be stored in a shell environment variable
This topic has been discussed many many times on this forum and elsewhere. A simple search of this forum or the Internet will show you many ways to accomplish what you want to do. For example I entered "oracle hide password" in the forum search box and got overy 10 pages of replies.
For Oracle, one way is to store the program in a file and get Oracle to execute it.
sqlplus /NOLOG @programname.sql
Within the file programname.sql the first line will be an Oracle "CONNECT" statement, for example:
connect SYS/change_on_install as SYSDBA ;
This method is really the normal way and by having the program in a file avoids the clash with shell from characters such as "$" .
Don't forget to protect the file from prying eyes with unix permissions.