CODE REVIEW ON A COMPLEX 8I DATABASE
I'm trying to efficiently evaluate an existing database which I inherited. What tools are available, either within 8i or elsewhere, that would allow me to list or view the entire application in the sequence that objects, views, macros, etc. are called? I am primarily focused on code but table relationships are important too. It's important to me to both view and print this information.
Oracle Enterprise Manager, TOAD, SQL Navigator, PL/SQL Developer, SQL-Station, etc...
These are just a few tools that you may want to look at.
good luck.
Similar Messages
-
Database DAO - JDBC Query Class - Code review please
I use the following class (Database.java) as a DAO for handling all database calls. The class works. You can use this if you're looking for a DAO solution (i.e. a way to query databases using connection pools / JNDI). I am looking for some suggestions on improving this class. Can you help? I.e. suggestions for improving SELECT speed, logic? The class is used by a moderately heavily used Web application (ca. 2000 - 3000 queries a day - so not too much) on a Sun Web Server system.
This class had the following interfaces:
getErrors() // for retrieving any errors that occurred during an query
setSql() // one way to set the SQL that must be run
setDbName() // one way to set the JNDI name of the database resource
getInsertDelete() // run the INSERT/DELETE statement that was provided with setSql
getInsertDelete(String givenSql, String givenDb) // run with provided sql and db
getClobInsert(String givenSql, String givenDb, Hashtable clobHash, String identifierSql) // clobHash contains the column name and the value (which is a string over 4000 chars). Identifier SQL is the SQL for identifying the row, into which the Clob must be inserted. This interface is specific to Oracle.
getSelect() // Query database with set SQL. Return as a vector of hashes so I can close connection.
getSelect(String givenSql, String givenDb) // select with given sqlAnd here is the full class. I know, this is a weird post, but we don't really have a code review process here at work, and I don't have a specific problem. Just want some feedback concerning the way I query our databases. So, any tips or comments are welcome.
package melib.network;
import java.io.Writer;
import java.io.StringReader;
import java.io.IOException;
import java.util.Vector;
import java.util.Hashtable;
import java.sql.Connection;
import java.sql.Statement;
import java.sql.ResultSet;
import java.sql.ResultSetMetaData;
import java.sql.Clob;
import javax.sql.DataSource;
import javax.naming.InitialContext;
import melib.system.PropertiesReader; // This is just a simple class for pulling values from a .properties file
* Manages database connections.
* @author jetcat33
* @version 2.0, 2006-07-09
public class Database {
protected String sql = "";
protected String dbName = "";
private StringBuffer errors = new StringBuffer();
/** Creates a new instance of Database */
public Database() {
* Check completeness of data
* for example to check if dbname given or
* sql given or to make sure that yikes
* used instead of sccweb in test conditions
protected boolean checkData(){
if(dbName.equals("") || sql.equals("")){
Email.sendMail(PropertiesReader.getValue("statusEmail"),null,"MelibLibraryError","melib error: [Database]","No database selected for query (db: "+dbName+" or sql not included (sql: "+sql+")");
setErrors("No database selected for query (db: "+dbName+" or sql not included (sql: "+sql+")");
return false;
}else{
return true;
* Sets and gets errors resulting from
* exceptions - otherwise would have to
* somehow include errors in the results
* that are returned but that would include
* other more complicated stuff.
private void setErrors(String e){
errors.append("\n"+e);
public StringBuffer getErrors(){
return errors;
* Setter for the sql variable.
* @param givenSql The sql required to process
public void setSql(java.lang.String givenSql) {
sql = givenSql;
* Sets the dbName needed to commect
* to the correct database.
* @param givenDbName Name of the database - name and connections specified within this class
public void setDbName(java.lang.String givenDbName) {
dbName = givenDbName;
* Processes Insert and Delete requests with given SQL and DB Name.
* @param givenSql
* @param givenDbName
* @return String Number of rows affected
public String getInsertDelete(String givenSql, String givenDbName){
sql = givenSql;
dbName = givenDbName;
return getInsertDelete();
* Takes care of insert, update and delete requests.
* Must have set both dbName as well as the sql String.
* Will return number of rows affected as String.
* @return String Number of rows affected
* @exception Exception
public String getInsertDelete() {
int returnValue = 0;
if(checkData()){
Connection conn = null;
InitialContext initContext = null;
DataSource source = null;
Statement stmt = null;
try{
// Get connection from configured pool
initContext = new InitialContext();
source = (DataSource) initContext.lookup("java:comp/env/jdbc/" + dbName);
conn = source.getConnection();
if(conn != null){
stmt = conn.createStatement();
returnValue = stmt.executeUpdate(sql);
}catch (Exception e){
Email.sendMail(PropertiesReader.getValue("statusEmail"),null,"MelibLibraryError","melib error: [Database.getInsertDelete]","getInsertDelete Exception: "+e.toString()+"\nWith: "+sql);
setErrors(e.toString());
}finally{
try{
stmt.close();
}catch(Exception e){
e.printStackTrace();
try{
conn.close();
}catch(Exception e){
e.printStackTrace();
try{
initContext.close();
}catch(Exception e){
e.printStackTrace();
return returnValue+"";
* Processes Insert requests for SQL containing CLOBS
* @param givenSql
* @param givenDbName
* @param clobHash Contains column name of clob and clob text
* @param identifierSql Contains SQL to identify the just entered SQL so the clobs can be filled in.
* @return String Number of rows affected
public String getClobInsert(String givenSql, String givenDbName, Hashtable clobHash, String identifierSql){
sql = givenSql;
dbName = givenDbName;
String returnValue="";
int rv = 0;
if(checkData()){
Connection conn = null;
InitialContext initContext = null;
DataSource source = null;
Statement stmt = null;
try{
// Get connection from configured pool
initContext = new InitialContext();
source = (DataSource) initContext.lookup("java:comp/env/jdbc/" + dbName);
conn = source.getConnection();
if(conn != null){
conn.setAutoCommit(false);
stmt = conn.createStatement();
rv = stmt.executeUpdate(sql); // write first time
// Now get and overwrite "EMPTY_CLOB()"
ResultSet lobDetails = stmt.executeQuery(identifierSql);
ResultSetMetaData rsmd = lobDetails.getMetaData();
if(lobDetails.next()){
for(int i = 1; i <= rsmd.getColumnCount(); i++){
if(clobHash.get(rsmd.getColumnName(i))!=null && !clobHash.get(rsmd.getColumnName(i)).equals("")){
Clob theClob = lobDetails.getClob(i);
Writer clobWriter = ((oracle.sql.CLOB)theClob).getCharacterOutputStream();
StringReader clobReader = new StringReader((String) clobHash.get(rsmd.getColumnName(i)));
char[] cbuffer = new char[30* 1024]; // Buffer to hold chunks of data to be written to Clob, the slob
int nread = 0;
try{
while((nread=clobReader.read(cbuffer)) != -1){
clobWriter.write(cbuffer,0,nread);
}catch(IOException ioe){
//System.out.println("E: clobWriter exception - " + ioe.toString());
}finally{
try{
returnValue+=" Writing: "+rsmd.getColumnName(i);
clobReader.close();
clobWriter.close();
}catch(IOException ioe2){
//System.out.println("E: clobWriter close exception - " + ioe2.toString());
conn.commit();
}catch (Exception e){
Email.sendMail(PropertiesReader.getValue("statusEmail"),null,"MelibLibraryError","melib error: [Database.getClobInsert]","getClobInsert Exception: "+e.toString()+"\nWith: "+sql+"\nAND\n"+identifierSql);
setErrors(e.toString());
}finally{
try{
stmt.close();
}catch(Exception e){
e.printStackTrace();
try{
conn.close();
}catch(Exception e){
e.printStackTrace();
try{
initContext.close();
}catch(Exception e){
e.printStackTrace();
returnValue=rv+" "+returnValue;
return returnValue;
* Takes care of Select statements.
* Must have set both dbName as well as the sql String.
* Will return a vector.
* @return Vector of Hashes containing the Results of the query
* @exception SQLException
* @exception Exception
public Vector getSelect(){
Vector returnValue = new Vector();
if(checkData()){
Connection conn = null;
InitialContext initContext = null;
DataSource source = null;
ResultSet result = null;
ResultSetMetaData rsmd = null;
Statement stmt = null;
try{
// Get connection from configured pool
initContext = new InitialContext();
source = (DataSource) initContext.lookup("java:comp/env/jdbc/" + dbName);
conn = source.getConnection();
if(conn != null){
stmt = conn.createStatement();
result = stmt.executeQuery(sql);
rsmd = result.getMetaData();
while(result.next()){
Hashtable hash = new Hashtable();
for(int i = 1; i <= rsmd.getColumnCount(); i++){
if(result.getString(i) != null){
hash.put(rsmd.getColumnName(i),result.getString(i));
}else{
hash.put(rsmd.getColumnName(i),"");
returnValue.addElement(hash);
}catch (Exception e){
Email.sendMail(PropertiesReader.getValue("statusEmail"),null,"MelibLibraryError","melib error: [Database.getSelect]","getSelect Exception: "+e.toString()+"\nWith: "+sql);
setErrors(e.toString());
}finally{
try{
result.close();
}catch(Exception e){
e.printStackTrace();
setErrors(e.toString());
try{
stmt.close();
}catch(Exception e){
e.printStackTrace();
setErrors(e.toString());
try{
conn.close();
}catch(Exception e){
e.printStackTrace();
setErrors(e.toString());
try{
initContext.close();
}catch(Exception e){
e.printStackTrace();
setErrors(e.toString());
return returnValue;
* Takes care of Select statements with given SQL.
* Must have set both dbName as well as the sql String.
* Will return a vector.
* @return Vector with Results of the query
* @exception SQLException
* @exception Exception
public Vector getSelect(String givenSql, String givenDbName){
sql = givenSql;
dbName = givenDbName;
return getSelect();
}Thank you,
dailysuntoo much code that's repeated. refactor all the code you have for closing resources into a utility class and simply call its methods.
your dao creates the connection, so it can't participate in a transaction. if there are several daos that should be one unit of work, you can't manage it with this framework.
transactions are under the control of a service layer. I think it's better to have the service object get the connection, pass it to all the DAOs needed for that unit of work, and then have the service close it.
e-mailing errors? I don't like it. if you have 2-3K queries a day failing because the database you'll have 2-3K e-mails to delete. better to log messages. if you really want e-mail, you can have Log4J add an e-mail appender. at least that way it's configurable outside the code.
CRUD operations without an UPDATE? You're missing something important.
What if I don't want to get the database from a JNDI datasource? Now you can't use this DAO without an app server.
Your error messages are less informative than a stack trace. Why not throw an exception with detailed info?
have a look at Spring and how it handles persistence. if you insist on writing your own, might want to look at Spring. Rod Johnson has developed a much better, more general way to handle persistence.
http://www.springframework.org
You return a Vector of Hashtables for queries? Two old-school data structures. You understand the implication of choosing those, right? I'd recommend that you change that to a List of Maps. Let the concrete types be ArrayList and HashMap. Interfaces are preferred, because they let you change the implementation without affecting clients. Vector and Hashtable are synchronized by default; ArrayList and HashMap are not. Synchronization is thread safe but slower.
I understand why you chose to return Vector, because you wanted something general that wouldn't force you to deal with object-relational mapping. This way you can just worry about ResultSetMetaData.
A Vector of Hashtables is a row-based view of the ResultSet (one Hashtable per row). Sometimes a column based view can be more convenient. Then it's a Map of Lists.
You gave it a good try, but I think there's a lot of room for improvement.
% -
Looking for Code Review Resources
We have completed a complex project using jakarta struts and are in beta testing at the moment.
Would like to have someone review our code but we have not been able to find expierienced developers in our (physical) area.
Does anyone have suggestions on where I could look to find a qualified individual for independent code review.
Thank you in advance for your suggestions.Just post it here. Some of our fine reviewers will be happy to serve you.
P.S. Be sure to say that it's homework. -
How to change the profile value in the pl/sql code without making change in the database
How to change the profile value in the pl/sql code without making change in the database.
I have program ,where if the profiles 'printer and nunber of copies ' are set at the user level, by default when the report completes the O/p will be sent to the printer mentioned in the set-up. but what user wants is
if these Profiles are set for the user running this program automatic printing should not be done. -
I need the code to delete record in the database not in the form???
I need the code to delete record in the database not in the form...
because when i execute a form always insert the datas in the data base but i want insert value on a text file and delete in the data base the record whith this value of text file.
i'm spanish an my english is bad sorry.
thank, javierWell, I fail to understand why you want to complicate easy things, but anyway you can do that by using TEXT_IO within Forms to create text file (see Forms builder help), and UTL_FILE package to read it within Pl/Sql : you could create a stored procedure, and call it from Forms passing the file name as parameter. See UTL_FILE documentation
-
What are the major issues to consider in code review? Or performance analys
What are the major issues to consider in code review? Or performance analysis?
I would not recommend you to try to optimize performance by checking the coding.
There is the code inspector which can do all which makes sense automatically.
The above mentioned points are not the real issues.
Instead of code review you should execute test cases and measure the exection time.
1. With STAD if you want to get good time measurement
2. With SE30 and ST05, if you want to have data for further anaylsis.
Check total time (SE30), check whether DB part is large, then go to SQL trace. Do the check mentioned here
/people/siegfried.boes/blog/2007/09/05/the-sql-trace-st05-150-quick-and-easy
to find the SQL bottlenecks.
The major point about SQL problems is index support, if there is no proper index support then the performance will be poor. Be aware, that problems are only visible, if you tables are filled.
In a test system where you have very little data, you will never encounter performance problems.
Check also the Top10 of the SQ30 hit list.
Be aware that a proper performance analysis is not a 5 minutes job.
Siegfried -
Are there any good tool for checking security risks, Code review, memory leakages for SharePoint projects?
I found one such tool "Fortify" in the below link. Are there any such kind of tools available which supports SharePoint?
Reference: http://www.securityresearch.at/en/development/fortify/
Amalaraja Fernando,
SharePoint Architect
Please Mark As Answer if my post solves your problem or Vote As Helpful if a post has been helpful for you. This post is provided "AS IS" with no warrenties and confers no rights.Hi Amalaraja Fernando,
I'm not sure that there is one more tool that combines all these features. But you may take a look at these solutions:
SharePoint diagnostic manager
SharePoint enterprise manager
What is SPCop SharePoint Code Analysis?
Dmitry
Lightning Tools Check
out our SharePoint tools and web parts |
Lightning Tools Blog | Мой Блог -
Post Commit code Review Linking in the TFS Warehouse
Hello
I am having problems trying to find code reviews associated with a change set where the review and been after checkin. So the reviews are generated by History view --> double click on the changeset --> Actions --> Request Review.
I understand that when its from a changeset (post-checkin), there is only a link from the code review to the changeset and nothing between the Changeset and the code review. However when I am looking through the TFS Warehouse I cannot find any table holding
the link between the code review and the changeset. I expected it to be in the FactWorkItemChangeset but its not there.
Is this possible from the TFS Warehouse?
Thanks for looking.Hi SimonAzurec,
Thanks for your post.
Currently, we can only double click on the changeset to check which code review(s) linked to this changeset in Team Explorer. Please refer to the screenshot in this post:
http://stackoverflow.com/questions/14103788/tfs-2012-how-can-i-tell-if-a-changeset-was-code-reviewed.
After you checked in, please open the linked Code Review Request work item in VS, you will find there’s no changeset shows under
LINKS table.
For this scenario, please submit it to User Voice site at:
http://visualstudio.uservoice.com/forums/121579-visual-studio. Microsoft engineers will evaluate them seriously.
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey. -
Code Review Tool - Ignore Whitespace
When I view the comparison in the code review tool ignore whitespace is on by default. The problem is that it doesn't ignore all whitespace. For example, a method's parameters prior to the change had a space between the start and end of the parameter definition
but after changes the auto format of visual studio is different by removing the spaces (different user preference).The code review tool see's this as a difference. Why is that?
Before:
public class test
public TestMethod( string testString )
After
public class test
public TestMethod(string testString)
This is very frustrating because the very nice visual difference bar to the right of the code comparison becomes useless in these situations.Hi Zpittman,
What is you said ‘Code Review Tool’?
I assume that you meant the Code Review feature in TFS. I tried it in Visual Studio 2013 with update 4 and TFS 2013 with Update 4, the whitespace was detected and the code review see it as a difference.
If you don’t get the same result with me using VS and TFS, please upgrade your VS and TFS to the latest update.
If the issue still exists, please
reset your VS settings through Tools->Import and Export settings->Reset all
settings->…. and repair your VS.
If code review tool is a third-party tool or a third-party VS/TFS add-in, the official support of this tool can be a better place to resolve your issue.
If I misunderstood anything, please feel free to come back.
Thanks,
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey. -
Hello Experts--
I have query where I will require your expert comments. I would like to check the quality of ABAP code with reference to
(a) Program logic
(b) Performance issues
(c) Table joint
(d) Buffer being used
(e) Index etc etc
Is there any tool in SAP or any third party tool which can help to check the quality of code.
Thanks in advance for your reply.
Regards
--AnshumanDear Anshuman,
Look at the transaction code SCI- Code Inspector and SLIN- Extended program Check - These both together will definitely help you in to a large exten check in your code review and which can help to check you ABAP Code Quality.
There also can be some obsolete statements which need to be take care of and also some SQL queries which are not longer supported in OOPs context.
So hope this will help you to a lot extent in determining the Quality Code.
There are additional Transactions like SE30, ST05 which may help you to know about the performance or time consumption of your programs as such.
Hope this too helps you.
Encourage others to answer you queries by suitably rewarding them
Thanks
Venugopal -
[svn:osmf:] 14261: Updated DRM unit tests to work with code review feedback .
Revision: 14261
Revision: 14261
Author: [email protected]
Date: 2010-02-18 14:15:23 -0800 (Thu, 18 Feb 2010)
Log Message:
Updated DRM unit tests to work with code review feedback.
Modified Paths:
osmf/trunk/framework/OSMFTest/org/osmf/elements/TestParallelElementWithDRMTrait.as
osmf/trunk/framework/OSMFTest/org/osmf/elements/TestSerialElementWithDRMTrait.as
osmf/trunk/framework/OSMFTest/org/osmf/traits/TestDRMTrait.as
osmf/trunk/framework/OSMFTest/org/osmf/utils/DynamicDRMTrait.asHello Alex,
I don't have an answer for you.
But, can you try to use http://drmtest2.adobe.com:8080/Content/anonymous.f4v with locally hosted OSMF player? This content doens't require user/pass info.
I'm wondering that Google TV's flash player doesn't support prompt dialog.
http://drmtest2.adobe.com/AccessPlayer/player.html requires flash player 11. That's why it won't be loaded with flash player 10.x.
Thanks,
-- Hiroshi -
Hi folks,
need your assistance here; an example, I gave you a sql statement of almost 20 lines, with so many joins/hint and a lot of other activities too.
And you've been asked to review that code and provide your input/thoughts/suggestion/advises about this code.
What'll be your approach, how you'll go about it?
Statistics are already gathered for all the objects, now what'll be your steps and how you'll take care of this task, please try to explain in a step by step way.
Thanks in advance.Let's take a step back... What is the goal of your code review?
Are you reviewing the code to see if it returns the expected results? If so, you'd need to understand the requirements, your data model, etc.
Are you reviewing the code to see if it reuses other code effectively? If so, are there existing views that join several of these tables with the same conditions that could be used so that if the conditions change in the future you only have to update one view rather than hundreds of queries? Are there functions that compute data that you are computing in the query? Are there negative performance implications to using those existing views or functions because, for example, they also join in additional tables that you don't need (note that in very recent versions, Oracle may be able to eliminate those joins)? If so, you'll need to examine whether the benefits of code reuse outweigh the cost of slighly slower performance.
Are you reviewing the code to see if it follows your organization's standards? Does your organization have standards about SQL 99 join syntax versus older join syntaxes, for example? Does it have standards about how to alias tables in the query or how to indent the code or anything else that an organization might standardize on?
Are you reviewing the code to examine the performance? If so, what criteria are you using? A code review implies that this is something you're doing before code goes to production. Normally, the developers would have verified performance in the lower environments by doing load tests on representative volumes of data to compare performance against whatever the
requirements laid out as acceptable. Perhaps it makes sense to compare the query plan generated in production against the query plan that was verified as performing adequately in the lower environments in order to ensure that the performance isn't going to radically degrade when the query runs in production. Perhaps it makes sense to pull an AWR from the test environment from the period during the load test and to review the top SQL statements on that report if they are new. It generally doesn't make sense to try to review the query plan of every query before it goes to production if the developers haven't done the basic level of performance testing in advance-- no one is going to, in general, be able to look at a query plan and give you a "thumbs up" or a "thumbs down" with no context, no requirements, and no background. At most, you could look for yellow flags-- query plans that involve hitting every partition in a table rather than doing partition pruning, queries that return a single row that do table scans rather than using an expected index, queries that return millions of rows that use an index rather than an expected table scan-- in order to figure out what queries are worth focusing on.
Justin -
Code Reviewing stored procedures
Hi team,
Is there any shortcut way to code review stored procedures in sql.
Note: Condn. need to check are below
Checking whether all temp tables dropped, if its not dropped then to identify that table
checking update and delete statement on physical table which should include PRIMARY KEY column in where condition
checking Every JOIN stmt shouldn't combine more than five physical tables
Checking any temp table created like select * into #table from some physical table
Checking any physical table creation during run time of Sp
Thanks in advance
Regards, Muthukumar BaluHi all,
Following function gives the create tmp table and drop temp table stmt in row wise.Hence we can count the create tmp tables and drop tables. Count will identify the missing drop tables ,Like this am asking shortcuts for code reviewing.
===========================================
Create FUNCTION [dbo].[uftReadfileAsTable]
@Path VARCHAR(255),
@Filename VARCHAR(100)
RETURNS
@File TABLE
[LineNo] int identity(1,1),
line varchar(8000))
AS
BEGIN
DECLARE @objFileSystem int
,@objTextStream int,
@objErrorObject int,
@strErrorMessage Varchar(1000),
@Command varchar(1000),
@hr int,
@String VARCHAR(8000),
@YesOrNo INT
select @strErrorMessage='opening the File System Object'
EXECUTE @hr = sp_OACreate 'Scripting.FileSystemObject' , @objFileSystem OUT
if @HR=0 Select @objErrorObject=@objFileSystem, @strErrorMessage='Opening file "'+@path+'\'+@filename+'"',@command=@path+'\'+@filename
if @HR=0 execute @hr = sp_OAMethod @objFileSystem , 'OpenTextFile'
, @objTextStream OUT, @command,1,false,0--for reading, FormatASCII
WHILE @hr=0
BEGIN
if @HR=0 Select @objErrorObject=@objTextStream,
@strErrorMessage='finding out if there is more to read in "'+@filename+'"'
if @HR=0 execute @hr = sp_OAGetProperty @objTextStream, 'AtEndOfStream', @YesOrNo OUTPUT
IF @YesOrNo<>0 break
if @HR=0 Select @objErrorObject=@objTextStream,
@strErrorMessage='reading from the output file "'+@filename+'"'
if @HR=0 execute @hr = sp_OAMethod @objTextStream, 'Readline', @String OUTPUT
INSERT INTO @file(line) SELECT @String
END
if @HR=0 Select @objErrorObject=@objTextStream,
@strErrorMessage='closing the output file "'+@filename+'"'
if @HR=0 execute @hr = sp_OAMethod @objTextStream, 'Close'
if @hr<>0
begin
Declare
@Source varchar(255),
@Description Varchar(255),
@Helpfile Varchar(255),
@HelpID int
EXECUTE sp_OAGetErrorInfo @objErrorObject,
@source output,@Description output,@Helpfile output,@HelpID output
Select @strErrorMessage='Error whilst '
+coalesce(@strErrorMessage,'doing something')
+', '+coalesce(@Description,'')
insert into @File(line) select @strErrorMessage
end
EXECUTE sp_OADestroy @objTextStream
-- Fill the table variable with the rows for your result set
RETURN
END
==================================================
steps to check:
1. Execute the function n ur DB
2. Store your sql file in some location.
3. Execute following query in ur DB and path should be replaced with where u have stored ur SQl file
--QUERY
Select line from
Dbo.uftReadfileAsTable('D:\SQL_CODE_REVIEW','filename.sql')
where line like '%create%table%#%'
Select line from
Dbo.uftReadfileAsTable('D:\SQL_CODE_REVIEW','filename.sql')
where line like '%drop%table%#%'
Regards, Muthukumar Balu -
Oracle Apps secure code review
Is any documentation available (either Oracle or third party based) to guide secure code reviews for Oracle Apps (or more specifically, Oracle Application Framework)?
I'm aware of the usual sql injection bad practices (as related to JDBC and PLSQL). I'm curious about API abuse, as related to:
- cross-site scripting concerns
- client-side trust issues (e.g., hidden field values)
- improper or inconsistent input validation
- improper error handling
- improper session management
- inappropriate access control
Thanks.Thanks... I looked at that and didn't think it was all in there, but I looked again after I got your reply and it appears to be what we are looking for (at least a starting point).
-
Hi,
Can anyone help me on checklist for a OO-ABAP prog code review?
Thanks.Hi,
Here are some. I dont have a link and site which can give u all that.
Shall give a few points here:
1. The nesting of IF statements should be limited. When multiple conditions are being tested, the appropriateness of the CASE statement should be considered
2. The CASE statement uses WHEN OTHERS
3. When possible, do not use the TRANSLATE statement, because it is not efficient.
4. Always specify your conditions in the Where clause instead of checking
5. SELECT INTO preferred to SELECT
6. Avoid select * to the max.
7. Use primary key while selecting.
8. Avoid nested selects and nested loops
9. Avoid the use of the ORDER BY clause on a SELECT statement that sorts by non-indexed fields.
10. SORT ITAB ORDER BY preferred over SORT ITAB
11. Use multiple MOVE statements instead of a single MOVE-CORRESPONDING statement.
12. LOOP WHERE is prefered to LOOP/CHECK
13. use binary search while readin
14. Itab2[] = Itab1[] is preferred to
Loop at Itab1.
Itab2 = Itab1.
Append Itab2.
Endloop.
15. use DESCRIBE instead of COUNT
Hope these will help you your review process.
Also check out this link:
http://www.sap-basis-abap.com/abap/abap-4-development-code-efficiency-guidelines.htm
http://www.ams.utoronto.ca/userfiles/page_attachments/Library/1/Developmentstandards_guidelines_335678.pdf
Best Regards,
Anjali
Maybe you are looking for
-
Firefox unusable; reset, uninstall & reinstall fail; I am at a loss.
About a month and a half ago, my Firefox started freezing. I soon gave up as it became unusable, but I only did so after changing some settings for running Adobe Flash and also running a reset on Firefox (retaining my profile information). I would li
-
How to find the structure fields data in database tables?
how to find the structure fields data in database tables?
-
hi all , when i tried url for PCK start http://localhost:57000/pck/start/ it gives an error Application cannot be started! Details: com.sap.engine.services.deploy.container.DeploymentException: Cannot activate endpoint for message-driven bean sap.com
-
Apple Id disabbled message on Iphone when trying to download an App
I am getting a Apple Id disabled message when I try to download an app to my iphone. I had tried to log in too many times with the wrong password. I have reset my pass word on itunes and in the phone but am still getting the message? What do I do?
-
MacBook Pro 2008 No Chime, shuts down immediately.
My 2008 MBP does not chime when the start button is pressed. The sleep light comes on for a few seconds and I hear HD and CD drive noise then it shuts off. I took out the RAM chips (2) and cleaned the contacts and put one in and tried it again. No di