Securely calling stored procedure with APEX URL
I have a web server that needs to call a stored procedure on an Oracle database (v10.2.0.4.0-64bit), and to do so without storing schema credentials on the web server it has been recommended to call the procedure using a URL to APEX, and granting execute privileges on the package storing the procedure to APEX_PUBLIC_USER. However, this allows anyone on the network to call the procedure if they have the URL. Is there any way to make sure that either Apex or the procedure only responds directly to requests from the web server?
Nick,
Assuming you are talking about application server ( not web server ).
It is common practice to create new user on Oracle database (often called proxy user, so you don't have to use schema credentials). Grant this user privileges to call package you need. Then on application server store encrypted credentials for this new user.
Application (java or .net) then connects to Oracle using new user credentials and executes packaged procedure.
Using Apex is the same. You need to have Authentication enabled (hence to store user id and password). If not, it is not secure.
Making any application (including Apex) to respond to request from specific IP is possible by inspecting ip from request header (Apex : UTL_HTTP.GET_HEADER ).
There are problems however:
1.If connection is made by proxy, request ip can change.
2.Hackers can use "ip spoofing" to emulate request from permitted server.
Another option would be to set up proxy server rules, permitting traffic between selected servers only.
HTH
Thomas
Similar Messages
-
How to call stored procedure with multiple parameters in an HTML expression
Hi, Guys:
Can you show me an example to call stored procedure with multiple parameters in an HTML expression? I need to rewrite a procedure to display multiple pictures of one person stored in database by clicking button.
The orginal HTML expression is :
<img src="#OWNER#.dl_sor_image?p_offender_id=#OFFENDER_ID#" width="75" height="75">which calls a procedure as:
procedure dl_sor_image (p_offender_id IN NUMBER)now I rewrite it as:
PROCEDURE Sor_Display_Current_Image(p_n_Offender_id IN NUMBER, p_n_image_Count in number)could anyone tell me the format for the html expression to pass multiple parameters?
Thanks a lot.
SamHi:
Thanks for your help! Your question is what I am trying hard now. Current procedure can only display one picture per person, however, I am supposed to write a new procedure which displays multiple pictures for one person. When user click a button on report, APEX should call this procedure and returns next picture of the same person. The table is SOR_image. However, I rewrite the HTML expression as follows to test to display the second image.
<img src="#OWNER#.Sor_Display_Current_Image?p_n_Offender_id=#OFFENDER_ID#&p_n_image_Count=2" width="75" height="75"> The procedure code is complied OK as follows:
create or replace
PROCEDURE Sor_Display_Current_Image(p_n_Offender_id IN NUMBER, p_n_image_Count in number) AS
v_mime_type VARCHAR2(48);
v_length NUMBER;
v_name VARCHAR2(2000);
v_image BLOB;
v_counter number:=0;
cursor cur_All_Images_of_Offender is
SELECT 'IMAGE/JPEG' mime_type, dbms_lob.getlength(image) as image_length, image
FROM sor_image
WHERE offender_id = p_n_Offender_id;
rec_Image_of_Offender cur_All_Images_of_Offender%ROWTYPE;
BEGIN
open cur_All_Images_of_Offender;
loop
fetch cur_All_Images_of_Offender into rec_Image_of_Offender;
v_counter:=v_counter+1;
if (v_counter=p_n_image_Count) then
owa_util.mime_header(nvl(rec_Image_of_Offender.mime_type, 'application/octet'), FALSE);
htp.p('Content-length: '||rec_Image_of_Offender.image_length);
owa_util.http_header_close;
wpg_docload.download_file (rec_Image_of_Offender.image);
end if;
exit when ((cur_All_Images_of_Offender%NOTFOUND) or (v_counter>=p_n_image_Count));
end loop;
close cur_All_Images_of_Offender;
END Sor_Display_Current_Image; The procedure just open a cursor to fetch the images belong to the same person, and use wpg_docload.download_file function to display the image specified. But it never works. It is strange because even I use exactly same code as before but change procedure name, Oracle APEX cannot display an image. Is this due to anything such as make file configuration in APEX?
Thanks
Sam -
Calling Stored Procedure with TestStand to SQL 2000
When I run the Stored Procedure in the query analyzer it returns the recordset fine. I am not specifying any parameters. I am Using TestStand 2.01 and SQL Server 2000. I am using the OPEN SQL STATEMENT step to call the SP. When I run the SP in TestStand I get no data returned. If I run the SQL statment in TestStand I get the data that I am requesting. Does TestStand not support stored procedures.
Hi,
The instructions that I posted were for TestStand 3.0. In version 3.0 you can call stored procedures with input/output paramateres and to support this functionality the data operation step support several new modes.
TestStand 2.0.1 does not support parameters on stored procedures, but it does support calling stored procedures that do not take parameters. To be able to access the data back from the database you need to set the cursor location (in the Advanced tab of the Open SQL Statement step) to Client (http://digital.ni.com/public.nsf/websearch/0EF68BF97AB1A61F86256B8E007D70C0?OpenDocument).
By changing the cursor to Client I was able to succesfully call a stored procedure from TestStand 2.0.1 and to read back the recordse
t return by the database. Please let me know if you are still experiencing dificulties.
Best regards,
Alejandro del Castillo
National Instruments -
Problem calling stored procedure with user-defined type of input parameters
Hi,
I have to call a stored procedure with IN parameters, but these are user-defined types of input parameters.
function fv_createnews (
pit_groups in T_APPLICATION_USER_GROUPS,
pit_documents in T_DOCUMENTS
return varchar2;
TYPE T_APPLICATION_USER_GROUPS IS
TABLE OF varchar2(500)
INDEX BY binary_integer;
TYPE T_DOCUMENT IS record (
name varchar2(256)
,url varchar2(1024)
,lang varchar2(30)
,foldername varchar2(150)
TYPE T_DOCUMENTS IS
TABLE OF T_DOCUMENT
INDEX BY binary_integer;
How can I do this using the TopLink 10.1.3 API.
I already found following related posts, but I still can' t make it up:
Using VARRAYs as parameters to a Stored Procedure
Pass Object as In/Out Parameter in Stored Procedure
Or do I have to create my own PreparedStatement for this special stored procedure call using Java and Toplink?As the related posts suggest, you will need to use direct JDBC code for this.
Also I'm not sure JDBC supports the RECORD type, so you may need to wrap your stored functions with ones that either flatten the record out, or take OBJECT types. -
Calling stored procedures with parameters with the Database Connectivity Toolkit
Hi all,
I am new to the forum and am having difficulty finding a solution to a particular problem I am having regarding using the LabVIEW Database Connectivity Toolkit on a project I am currently working on at my job. I have a database in which I have tables and stored procedures with parameters. Some of these stored procedures have input, output, and return parameters.
I have been trying to follow this example but to no avail: http://digital.ni.com/public.nsf/allkb/07FD130746083E0686257300006326C4?OpenDocument
One such stored procedure I am working on implementing is named "dbo.getAllowablePNs", which executes "SELECT * from DeviceType" (DeviceType is the table). In this case, it does not require an input parameter, it has an output parameter that generates the table [cluster], and has a return parameter which returns an integer value (execution status code) to show if an error occurred. The DeviceType table has 3 columns; ID (PK, int, not null), PN (nvarchar(15), null), and NumMACAddresses (int, null). I have gone over many examples and have talking to NI support to try to implement this and similar stored procedures in LabVIEW but have not been successful. I am able to connect to the database with the Open Connection VI without error, but am running into some confusion following this step. I am then trying to use the Create Parameterized Query VI to call the stored procedure and set the parameters. I assume I would then use the Set Parameter Value VI for each parameter that is wired into the parameters input on the previous Parameterized Query VI? I am also having some confusion during and following these steps as well. I would greatly appreciate any advice or suggestions anyone might have in regards to this situation as I am not a SQL expert. Also, I would be happy to provide any more information that would be helpful.
Regards,
Jon
Solved!
Go to Solution.Also, I don't know if this would be helpful but here is the actual stored procedure in SQL:
CREATEPROCEDURE [dbo].[getLastSequenceNumber]
@p1 nvarchar(10)='WO-00000'
AS
BEGIN
-- SET NOCOUNT ON added to prevent extra result sets from
-- interfering with SELECT statements.
SETNOCOUNTON;
-- Insert statements for procedure here
selectmax(SequenceNumber)from Devices where WorkOrderNumber= @p1
END
GO -
Call stored procedure with OUT parameter
Hello,
I have created a short-lived process. Within this process I am using the "FOUNDATION > JDBC > Call Stored Procedure" operation to call an Oracle procedure. This procedure has 3 parameters, 2 IN and 1 OUT parameter.
The procedure is being executed correctly. Both IN parameters receive the correct values but I am unable to get the OUT parameter's value in my process.
Rewriting the procedure as a function gives me an ORA-01460 since one of the parameters contains XML (>32K) so this is not option...
Has someone been able to call a stored procedure with an OUT parameter?
Regards,
NicoObject is Foundation, Execute Script
This is for a query, you can change to a stored procedure call. Pull the value back in the Java code then put into the process variable.
import javax.naming.InitialContext;
import javax.sql.DataSource;
import java.sql.*;
PreparedStatement stmt = null;
Connection conn = null;
ResultSet rs = null;
try {
InitialContext ctx = new InitialContext();
DataSource ds = (DataSource) ctx.lookup("java:IDP_DS");
conn = ds.getConnection();
stmt = conn.prepareStatement("select FUBAR from TB_PT_FUBAR where PROCESS_INSTANCE_ID=?");
stmt.setLong(1, patExecContext.getProcessDataLongValue("/process_data/@inputID"));
rs = stmt.executeQuery();
rs.next();
patExecContext.setProcessDataStringValue("/process_data/outData", rs.getString(1));
} finally {
try {
rs.close();
} catch (Exception rse) {}
try {
stmt.close();
} catch (Exception sse) {}
try {
conn.close();
} catch (Exception cse) {} -
Calling stored procedure with output parameters in a different schema
I have a simple stored procedure with two parameters:
PROCEDURE Test1(
pOutRecords OUT tCursorRef,
pIdNumber IN NUMBER);
where tCursorRef is REF CURSOR.
(This procedure is part of a package with REF CURSOR declared in there)
And I have two database schemas: AppOwner and AppUser.
The above stored procedure is owned by AppOwner, but I have to execute this stored procedure from AppUser schema. I have created a private synonym and granted the neccessary privileges for AppUser schema to execute the package in the AppUser schema.
When I ran the above procedure from VB using ADO and OraOLEDB.Oracle.1 driver, I got the following error when connecting to the AppUser schema:
ORA-06550: line 1, column 7:
PLS-00306: wrong number or types of arguments in call to 'TEST1'
ORA-06550: line 1, column 7:
PL/SQL: Statement ignored
but when I was connecting to the AppOwner schema, everything is running correctly without errors.
Also, when I switch to the microsoft MSDAORA.1 driver, I can execute the above procedure without any problems even when connecting to the AppUser schema.
I got this error only when I am trying to execute a stored procedure with an output parameter. All other procedures with only input parameters have no problems at all.
Do you know the reason for that? Thanks!If anyone has figured this one out let me know. I'm getting the same problem. Only in my case I've tried both the "OraOLEDB.Oracle" provider and the "MSDAORA" provider and I get an error either way. Also my procedure has 2 in parameters and 1 out parameter. At least now I know I'm not the only one with this issue. :)
'*** the Oracle procedure ***
Create sp_getconfiguration(mygroup in varchar2, myparameter in varchar2, myvalue out varchar2)
AS
rec_config tblconfiguration.configvalue%type;
cursor cur_config is select configvalue from tblconfiguration where configgroup = mygroup and configparameter = myparameter;
begin
open cur_config;
fetch cur_config into rec_config;
close cur_config;
myvalue := rec_config;
end;
'** the ado code ****
dim dbconn as new adodb.connection
dim oCmd as new adodb.connection
dim ors as new adodb.recordset
dbconn.provider = "MSDAORA" 'or dbconn.provider = "OraOLEDB.Oracle"
dbconn.open "Data Source=dahdah;User ID=didi;Password=humdy;PLSQLRSet=1;"
set ocmd.activeconnection = dbconn
cmd.commandtext = "{call fogle.sp_getconfiguration(?,?)}"
'i've also tried creating a public synonym called getconfiguration and just refering to procedure by that.
' "{call getconfiguration(?, ?)}"
' "{call getconfiguration(?,?, {resultset 1, myvalue})}"
'and numerous numerous other combinations
set oPrm = cmd.createparameter("MYGROUP", advarchar, adparaminput, 50, strGrouptoPassIn$)
cmd.parameters.append oPrm
set oPrm = cmd.createParameter("MYPARAMETER", advarchar, adParamInput, 50, strParameterToPassIn$)
cmdParameters.append oPrm
set rs = cmd.execute -
JDBC-Adapter-Receiver Calling Stored Procedure with Input-Typ Record
Hallo,
I´ m trying calling a stored-procedure with two input-parameter; one of typ record (oracle) and one of type tabel of records. Is this possible (I think there are only types like string, integer etc. possible)? When not is there another possibility to work with that type?
Thanks in advance,
FrankHi Frank,
I think stored procedures will not take Array of Records as a Input. If you want to make a loop funtionality etc then JDBC adapter will work accordingly. You need to just call the stored procedure from the JDBC adapter. It will work for the array of records(multiple occurences).
Receiver JDBC Procedures.
/people/siva.maranani/blog/2005/05/21/jdbc-stored-procedures
Alternative option is you can make use of Java Proxy and from there you can call stored procedure ..I think it is possible.. not tried.
Hope this helps
Regards,
Moorthy -
Calling Stored procedure with Parameters in PowerPivot DataModel
Hi All,
I wanted to call a SQL stored procedure from PowerPivot(Excel) on based on changing slicer's value.
Currently, we can call stored procedure wihtout any parameter from Data Model tab using
Exec stored_proc_name in Table Properties window.
What if I want to call the same procedure with a parameter whouse value will come by changing slicer's value. I meant, changing slicer value will act as a parameter to that stored procedure & it should return updated results.
Is this possible in PowerPivot?Hi Rameshwar,
According to your description, you call a SQL Server stored procedure in PowerPivot data model, now the problem is that you need to pass a parameter to the stored procedure, right?
Based on my research, it seems that we cannot achieve this requirement directly in current version of PowerPivot data model. Here is a similar thread for you reference.
https://social.msdn.microsoft.com/Forums/sqlserver/en-US/5350228d-bc62-4a3b-a1a6-e847483e2858/powerpivot-for-excel-2013-call-execute-stored-procedure-with-parameters?forum=sqlkjpowerpivotforexcel
If you have any concern about this behavior, you can submit a feedback at
http://connect.microsoft.com/SQLServer/Feedback and hope it is resolved in the next release of service pack or product. Your feedback enables Microsoft to make software and services the best that they can be, Microsoft might consider to add this feature
in the following release after official confirmation.
Regards,
Charlie Liao
TechNet Community Support -
Call stored procedure(with parameters) via odbc
In my application I like to use the below statement to call a stored procedure with parameter and return a result set.
{CALL PP.getPerson('daniel')}
but this will just return errors to my application.
If I change the statement to:
{CALL PP.getPerson(?')}
and bind a parameter and its value, it will work.
My question is, is it possible to call a stored procedure via ODBC without binding parameters in application? I mean, what will be my SQL equivalent if I don't want to do parameter binding in my application?
Thanks in advance. I appreciate any help :-)hi
Please see the e.g bellow
create proc proc_test(@SchoolNumber int,@SchoolName
varchar(100),@StudentNumber int, @StudnentName
varchar(100)output ,
@StudentAddress varchar(100) output,
@Studentbirthdate datetime output,
@StudentPhoneNumber varchar(100) output,
@GuardianName varchar(100) output)
as
begin
select @StudnentName varchar=StudnentName ,
@StudentAddress =StudentAddress,
@Studentbirthdate =Studentbirthdate ,
@StudentPhoneNumber =StudentPhoneNumber,
@GuardianName =GuardianName
from table where schoolno=@SchoolNumber
and SchoolName=@SchoolName
and StudentNumber=@StudentNumber
return
end
http://technet.microsoft.com/en-us/library/ms187004(v=sql.105).aspx
http://www.lynda.com/SQL-Server-tutorials/Using-input-output-parameters/104964/113058-4.html
Please mark answered if I've answered your question and vote for it as helpful to help other user's find a solution quicker -
Calling Stored Procedure with CLOB parameter
Hi,
i have one procedure with IN parameter CLOB which is taking xml file and stored in one table column and this table column datatype is also CLOB. And this procedure called by .Net program but problem is when the file will come more than 32KB calling procedure failed. But as i know CLOB can stored up to 4GB data.
Is that Limitation of oracle or .Net version
please let me know the solution for that,
Create Procedure Insert_File(P_XMLFILE IN CLOB)
as
begin
insert into instances
values(p_xmlfile);
commit;
end;
regards,
MadanHi Thanks for your reply,
Actually this procedure called by .net program and the XML file has passed in that parameter which come from some FTP(its inbound) and this files we are storing into above mentioned table.
Error has come while calling stored procedure Through .net
Error Details:
Error calling stored procedure. 0 retry attemps has failed. Error: System.Exception: Error while calling stored procedure on Oracle: INSERT_FILE: System.Data.OracleClient.OracleException: ORA-01460: unimplemented or unreasonable conversion requested -
Calling Stored Procedure with OraClob as parameter IN
I am using Visual C++ and using oo4o the ole way
I am try to call stored procedure that have Clob as parameter in
it seems the the OraParameters Add method don't have the ability since it can only receive variantt.
How do I do it
Thanks
Yoavfyi
Related to the solution/workaround posted by Luc.
see "Do Oracle's JDBC drivers support PL/SQL tables/result sets/records/booleans? "
at http://www.oracle.com/technetwork/database/enterprise-edition/jdbc-faq-090281.html#34_05
regards
Jan Vervecken -
Calling Stored Procedure with in Stored Procedure
I have one stored procedure A, I want to call Stored procedure A from Stored Procedure B and want to give input parameter to Stored Procedure A within Stored Procedure B using while loop.
i.e I have one stored procedure A which uses Telephone number as input parameter and pull out data
I want to create one more stored procedure B which will call stored procedure A internally and give telephone number one by one using while loop and push the result in Table C.>
I have one stored procedure A, I want to call Stored procedure A from Stored Procedure B and want to give input parameter to Stored Procedure A within Stored Procedure B using while loop.
i.e I have one stored procedure A which uses Telephone number as input parameter and pull out data
I want to create one more stored procedure B which will call stored procedure A internally and give telephone number one by one using while loop and push the result in Table C.
>
Doesn't sound a good idea in terms of performance or design. OK, what's your query?
The concept is:
create or replace procedure Proc_A (p_phone varchar2)
is
Begin
Insert into Tablec (col1, col2, col3, phone) values (val1, val2, val3, p_phone);
Exception
When no_data_found then
do what...
End;
Create or Replace Procedure Proc_B as
Begin
For i in (select phone_no from customer)
Loop
Proc_A(i.phone_no);
End Loop;
End;
/Once again, I have to say, it's a bad idea. You may well do it within a single procedure or even a single SQL. Tell us your exact requirements and we'll be able to help you
Edited by: user12035575 on Sep 5, 2011 8:26 PM -
Problem to call stored procedure with several IN pars and single REF Cursor
Hi,
Oracle 9.2.0.1
Ole DB Provider I've got with ODP 9.2.0.4
First I try to call packaged procedure with single
REF CURSOR - it works fine(PROCEDURE getDep(dep OUT DEPART.refcur) IS ...).
When I try to call procedure with additional IN parameter, I get an error ORA-01008: not all variables bound.
Packaged procedure: PROCEDURE getDep(dep OUT DEPART.refcur, i1 IN number) IS .... and so on.
Try to call from C#:
cmd.CommandText = "{call depart.getDep(?)}";
OleDbParameter par0 = cmd.CreateParameter();
par0.Value = some value;
par0.DbType = DbType.Int16;
par0.OleDbType = OleDbType.Integer;
par0.Direction = ParameterDirection.Input;
OleDbDataAdapter da = new OleDbDataAdapter(cmd.CommandText,con);
DataSet ds = new DataSet();
da.Fill(ds);
Connection string:
"Provider=OraOLEDB.Oracle;User Id=scott;Password=tiger;Data Source=ora92;OLEDB.NET=true;PLSQLRSet=true"
Please, HELP !
Thanks in advance,
VyacheslavHi,
Are you using OLEDB.NET driver (System.Data.Oledb) or ODP.NET driver (Oracle.DataAccess)?
If you are using ODP.NET, remember that you need to bind the refcursor output variable also (besides the numbder)
Arnold -
Problems calling stored procedure with DG4IFMX
Hi guys,
I am trying to call stored procedures from Informix Database which is connected through Oracle Database Gateway for Informix.
I have run select,update,delete successfully but when i try to run a stored procedure nothing happens.
for example :
when i run
call "branko"@link_informix(1)
it returns that it is successfully executed, without any error, but as u can see bellow no entry is entered in the branko_test table
at informix :
drop procedure branko;
create procedure "informix".branko(_vlez integer)
returning boolean;
if _vlez = 1 then
insert into branko_test values('test uspesen','1');
else
insert into branko_test values('test uspesen 2','2');
end if;
end procedure;
the procedure runs ok when called from informix.
Thank you for any help
P.S i have even tried running:
declare
ret integer;
begin
ret := DBMS_HS_PASSTHROUGH.EXECUTE_IMMEDIATE@link_informix('execute procedure branko(2)');
end;
but the same thing is happening, no entry in the table branko_test.Found the root cause:
when using dbaccess to call the original procedure it reports on the screen (expression)
=> removing the return value as it is not handled
-> looks like the unhandled return value boolean. Modifying the procedure to
drop procedure branko;
create procedure "informix".branko(_vlez integer)
if _vlez = 1 then
insert into branko_test values('test uspesen','1');
else
insert into branko_test values('test uspesen 2','2');
end if;
end procedure;
allows me to execute the procedure using passthrough
DECLARE
result VARCHAR2(50);
BEGIN
result := DBMS_HS_PASSTHROUGH.EXECUTE_IMMEDIATE@dg4ifmx('execute procedure informix.branko(1)');
END;
Edited by: kgronau on May 6, 2011 7:31 AM
Maybe you are looking for
-
It goes on constantly while the computer i s on, with like a 2 second delay, and to be honest it's driving me mad. I may just end up taking it in, but if I have to get it replaced I dont want to lose all my files and programs.
-
How do I make the type smaller for PDF's in iBook for my iPad Mini Retina Display IOS 7.4
How do I resize the type in PDF's to make it smaller ? to read on my iPad mini. At the moment it looks like 20 point.
-
I get an error message that says "Dyld error Message: Library not loaded @rpath/ilifeslideshowcore.framework/versions/a/ilifeslideshowcore" the reason: image not found Anyone have any idea how to fix this problem. I have reloaded the software from
-
New Photos Library Not Showing up in Media Browser
Hi, all-- I have the new Photos Library app, but I cannot select photos from it in other apps (like Twitter) because it doesn't show up the Media Browser that appears in the sidebar. The Photos Library is stored in my Pictures folder, and although I
-
How to Stop Music After Selection Finishes
I would like to play a selection and have the player stop when finished. I cannot find anything in Preferences that allows that. As it is, the next song in the playlist starts up, and I have to press the Stop button. (iTunes v 9.2.1) How can I do tha