Let me explain a bit more. My standard client/server connection would be ODBC and sqlnet. It is the sqlnet on a web server that worries the Oracle DBA. He feels that the sqlnet could be used by a hacker to send down a damaging command to the Oracle database from the web server.
The Oracle DBA says Oracle Application Server is the preferred route to sending select\insert\update requests to an Oracle database from over the internet.It seems to me that the web browser (client) is talking to the web server, which in turn talks to WC. WC is in your network and behind a firewall I assume. WC in turn talks to Oracle via ODBC. Seems like the standard security should be sufficient (if there is any security sufficient nowadays).
Kevin