Dynamically Identifying user issuing SQL statement
Client wants to provide security to certain data by first capturing the identity of every user issuing a SQL statement, then, based on the user and a security table, allow access to certain data. Is this doable? TIA...
Oracle has a whole product centered around this called "Label Seurity", which I'm guessing may be too much for your needs. Check out this marking shag for info about "virtual private databases" http://technet.oracle.com/deploy/security/oracle8i/pdf/vpd_wp6.pdf
Basically, the idea is that the "old school", but still perfecly fine, way to do it is to create views for each group of users and grant permissions to the views for the appropriate users. Optionally using synomyms into their schemas to give users the same name for the different views.
The virtual private database and similar stuff is hard to explain. I think of it as the db engine auto-adding a where clause to each sql statement based upon who you are. If that makes any sense.
I've tried this a couple of different ways, but have yet to hit upon one that seems easy & generally applicable.
Good Luck -d
Similar Messages
-
APP-ALR-04106: Please correct the user-defined SQL statement for this alert
Hi All,
I have created an alert for engineering module in R12. It got tested and was working fine. when the user testing it, while trigger the alert getting the error, "APP-ALR-04106: Please correct the user-defined SQL statement for this alert".
when verified the alert, it got verified and ran also. It parsed the query successfully and when run it fetched few records.
Need help in resolving the issue.
Thanks in advance.
Regards,
sri
Edited by: user10939296 on Jan 18, 2010 1:16 AMHi Sri;
I have already gone through the Note: 948037.1. But this note is related to 11i. The solution provided in the Note is for 11i.
I am facing this issue in R12. Is this patch applicable to R12?I belive its not. But u can check Solution part 4 for your instance, at least it can give you idea. The other note in metalink related bug and all for R11 too.
I belive its better way to rise Sr while waiting other forum user response to that thread
Regard
Helios -
Finding the issued SQL statement
Hi All,
A user has issued this:
DROP USER user CASCADE;
and after a while it got hung up.
Since all database users are using the same schema, I can not find the sid/serial # to kill it. There are many users in active and inactive status are found but could not identify the user who issued the above sql.
I know I can extract sid,serial# through v$session view. How can I join this view with other views to identify the sql statement?
Do you know how?
Thanks,To get the SID and SERIAL # please execute the SQL below:
set lin 500
col username format a15
col terminal format a15
col program format a40
col machine format a25
select s.paddr, p.spid, s.sid,s.serial#,s.terminal,s.machine,s.username,s.status,s.process,s.program,s.module,s.action, s.server from v$session s, v$process p
where p.addr=s.paddr
order by s.sid
To get the SQL Statement you have to get the SID and SERIAL # from above statement and execute the SQL below:
select x.sql_text from v$sql x, v$session y
where x.hash_value = y.sql_hash_value
and x.address = y.sql_address
and y.sid = &sid
/ -
When i look at snapins thru consoleone i can see that Zenwork 7.0.1 snapin is installaed.
I have Novell Client 4.91 SP5 and Zenwork Client 7.0.173.91015 installed on the clients running WinXP Pro SP3.
There is different of failures that happens..
Senario 1:
I install a Latitude D610 with a WinXP Pro SP3 original CD, from scratch. I only install the drivers for the LAN-card to get access to the network. I do not update windows updates etc.
I install the Novell Client 4.91 SP5, after that i install Zenwork Client 7.0.173.91015. And apply some registry settings to make the novell client to use the "tab-function" and hide advanced settings etc..
I have my eDir user "ADMIN1" with the policy package with settings to Dynamic Local User set to create a local user with name Admin, but im not using volatile user. So the local windows user Admin will be saved when logged out.
I login once with my Admin1 user, it creates the local profile Admin from Default User (with the help of Zenworks, and the policy Dynamic Local User?). I restart the computer and login again, and the local profile Admin craches and create a new one from Default User but this local user profile is namned Admin.Computername.
Ive tested this with atleast four other computers (different hardware) so it cant be a driver issue.
Ive looked thru the local logs, and i cant find anything about any problem with reading the NTUSER.DAT as could be a problem to load the local profile.
I even tested this senario when i update all windows updates etc, with two different version of the zenworks client and so on. ive been testning this for like 100 times now atleast. and same failure is happening. Ive even tested this in a virtual environment (vmware workstation).
Senari 2:
Like the problem descried above, in some cases it loss the connection or something with the zenwork server side and the zenwork client on the client computer... Since it does not attempt to use the settings from Dynamic Local User, becuase i got the windows login window, and i have to login to an already existing windows local account (with otherwords i cant login to the Admin-profile since i dont know the login information to this account since its created by zenworks / dynamic local user settings, and from the settings there you cant set a password, just the name and role of the windows accout that should be created)..
And after a while i try again, and then the settings from Dynamic Local User passes by and log into the, (let me say) Zenworks created local user profile (set by Dynamic Local User settings).
I wanna mention that all computers thats old, no reinstallation.. I can login to without problem, without any crashes of the Windows Local Profile.
Ive succeded once without any Windows Local profile crash, rebooted this computer over and over again, and no failure. If you succed twice, it seems like its fine. But then i reinstalled this computer, just like i did to make it success. But this time it failed on the second try, and got a crashed profile....
Its kinda old hardware to the server where i have my Zenworks, could that be the case? Could it be some timeouts?
The concults i use to fix some problems in our environment updated zenworks from the serverside just before christmans.. Could it be any problems with some windows patch etc?
Any help would be appreciated!
// Jokohanho> installed on the clients running WinXP Pro SP3.
<snip>
> I restart the computer and login again, and the local
> profile Admin craches and create a new one from Default User but this
> local user profile is namned Admin.Computername.
I only know of one XP SP3 issue that could cause this, but it involves a pw
change and RP:
"When you try to log on to a Windows XP SP3-based computer by using a
roaming profile, the roaming profile cannot load."
http://support.microsoft.com/kb/958058
Regards
Rolf Lidvall
Swedish Radio (Ltd) -
Database Control - Dynamically setting the @jc.sql statement 'attribute' ?
Hi,
I have a JCX file that extends a database control. I wan't to be able to set the
@jc.sql statement 'attribute' value dynamically. There does not seem to be a setProperty()
api in the
DatabaseControl (interface) like there is in some other types of control (e.g.,
FileControl).
The code extract below sets the value statically, however I wan't to be able to
set this for the method dynamically (say at runtime) and not necessary at design
time...
I would really appreciate, if someone knows any way that this is possible ...
Thanks very much,
Vishwa
CODE EXTRACT >>>>>>..public interface PointBaseCustomersControl extends DatabaseControl, com.bea.control.ControlExtension
// Sample database function. Uncomment to use
// static public class Customer
// public int id;
// public String name;
// * @jc:sql statement="SELECT ID, NAME FROM CUSTOMERS WHERE ID = {id}"
// Customer findCustomer(int id);
// Add "throws SQLException" to request that SQLExeptions be thrown on errors.
static final long serialVersionUID = 1L;
* @jc:sql statement="SELECT * FROM CUSTOMER"
PointBaseCustomersDocument getCustomers();Hello again,
I need some help. I recreated the SQL Inserts with VS 2005
and am not doing something right. I got this from MSDN on how to
insert records using the SQLdataSource Control. Here's what I got,
but I get an exception error Message: ORA-01036: illegal variable
name/number. I know this is an Adobe forum, but this is a basic
ASP.NET question. I'm queying WMI to retrieve computer information
that I send to the TextBoxes. Any help would be appreciated.
protected void bnSubmit_click(object sender, EventArgs e)
SqlDataSource1.Insert();
<asp:SqlDataSource ID="SqlDataSource1" runat="server"
ConnectionString="<%$ ConnectionStrings:CAT %>"
ProviderName="<%$ ConnectionStrings:CAT.ProviderName
%>" SelectCommand='SELECT * FROM "HARDWARE"'
InsertCommand="INSERT INTO HARDWARE(SERVICE_TAG, MANUFACTURER,
MODEL, OS, SERVICE_PACK, PROC, RAM, HDD, LAN, LAN_MAC, WIFI,
WIFI_MAC, HDD_SIZE) VALUES
(@SERVICE_TAG,@MANUFACTURER,@MODEL,@OS,@SERVICE_PACK,@PROC,@RAM,@HDD,@LAN,@LAN_MAC,@WIFI, @WIFI_MAC,@HDD_SIZE)">
<insertparameters>
<asp:formparameter name="SERVICE_TAG" formfield="txtSt"
Type="String" />
<asp:formparameter name="MANUFACTURER" formfield="txtMf"
Type="String" />
<asp:formparameter name="MODEL" formfield="txtMd"
Type="String" />
<asp:formparameter name="OS" formfield="txtOs"
Type="String"/>
<asp:formparameter name="SERVICE_PACK" formfield="txtSp"
Type="String" />
<asp:formparameter name="PROC" formfield="txtProc"
Type="String"/>
<asp:formparameter name="RAM" formfield="txtMem"
Type="String"/>
<asp:formparameter name="HDD" formfield="txtHdd"
Type="String"/>
<asp:formparameter name="LAN" formfield="txtLan"
Type="String"/>
<asp:formparameter name="LAN_MAC" formfield="txtLmac"
Type="String"/>
<asp:formparameter name="WIFI" formfield="txtWlan"
Type="String"/>
<asp:formparameter name="WIFI_MAC" formfield="txtLmac"
Type="String"/>
<asp:formparameter name="HDD_SIZE" formfield="txtHds"
Type="String"/>
</insertparameters>
</asp:SqlDataSource> -
hı
Is there anyway to see the user's sql scrıpts, wıthout sql_trace nor audit.
Or who ıs doıng what (ınsert,select update,....)
From the enterprıse manager I can only see top sqls.documentation
documentation
documentation
documentation
After asking 446 RTFM questions, you should know there is documentation.
As you can read, you can use it.
Sybrand Bakker
Senior Oracle DBA -
How to store sql statement in oracle table?
I tried it in this way:
SQL> insert into sql_text values('select invoice,invoice_dt,DT_INVOICED from PS_BI_HDR where DT_INVOICED= '21
JAN-2010' and BILL_STATUS='INV'');
insert into sql_text values('select invoice,invoice_dt,DT_INVOICED from PS_BI_HDR where DT_INVOICED= '21-JAN-
010' and BILL_STATUS='INV'')
ERROR at line 1:
ORA-00917: missing comma
Please help to solve it, i can't use concatenation (||),
coz
'select invoice,invoice_dt,DT_INVOICED from PS_BI_HDR where DT_INVOICED= '21-JAN-2010' and BILL_STATUS='INV' 'it is dynamic.user2060331 wrote:
No sql statement is a dynamic value inserted by a user for executing it on SQl prompt.Then use q-literals:
SQL> ACCEPT stmt PROMPT "Enter statement: "
Enter statement: select invoice,invoice_dt,DT_INVOICED from PS_BI_HDR where DT_INVOICED= '21-JAN-2010' and BILL_STATUS='INV'
SQL> insert into sql_text values('&stmt');
old 1: insert into sql_text values('&stmt')
new 1: insert into sql_text values('select invoice,invoice_dt,DT_INVOICED from PS_BI_HDR where DT_INVOICED= '21-JAN-2010' and BILL_STATUS='INV'')
insert into sql_text values('select invoice,invoice_dt,DT_INVOICED from PS_BI_HDR where DT_INVOICED= '21-JAN-2010' and BILL_STATUS='INV'')
ERROR at line 1:
ORA-00917: missing comma
SQL> insert into sql_text values(q'[&stmt]');
old 1: insert into sql_text values(q'[&stmt]')
new 1: insert into sql_text values(q'[select invoice,invoice_dt,DT_INVOICED from PS_BI_HDR where DT_INVOICED= '21-JAN-2010' and BILL_STATUS='INV']')
1 row created.
SQL> SY. -
hi,
my db now have a striange issue,
sql statement like 'select * from dba_data_files",
"alter system checkpoint", "alter database switch logfile"
there is no response.
when i query user table, or select on dba_* view
it work fine.
no user complaint issue on using the system.
also, gather statstitics on fixed view are hung.
not able to shutdown.
anyone ever encounter this before.
RgdsHi,
I need to know what is the wait event from Your session.
In fact I've already seen this kind of behaviour some times, But the RCA was totally diferent in all cases.
Please do the following:
1 Connect to the server using sqlplus as sysdba
sqlplus /nolog
connect / as sysdba
2 Attach to Your session:
oradebug setmypid
3 Set the trace to Your session
oradebug event 10046 trace name context forever, level 8
4 Get the tracefile_name
oradebug tracefile_name
5 Execute the statement
For exemple:
select * from dba_data_files;
6 After a while, cancel the statement using CTRL+C
7 Go to the user_dump_directory and format the trace file (The name You got in the step 4).
thprof <TRACEFILE_NAME> <TRACEFILE_NAME>.txt sort=exeela
8 Edit the tracefile output copy and paste here the lines from the statement until the Wait events.
With this data, I'll try to help You.
Regards,
Cerreia -
EarlyWatch - Expensive SQL Statements help
Hi all,
i need to analyze an EWA report and i don't know how exactly can i identify an "expensive SQL statement".
The report says:
During this session, the following expensive SQL statements were identified as causing a database load of at least 1%.
The corresponding stored procedure names are referenced in the table below.
And in the table with stored procedure names, a row looks like this:
ID Stored Procedure Name
1 ##Y4DCWWES7EHY100000053960000254832042037
What does it mean and how can i identify the name of program and the exact statement (probably select) that is causing this problem?
Thank you,
OndrejHi Ondrej,
you're running on SQL Server. SAP creates stored procedures for each and every statement run against the database. The name you get seems to be a temporary stored procedure which (if I'm not wrong) is marked by the two # characters at the beginning. You may be still find it in the stored procedures of your system.
Open the Enterprise Manager and open your database, then the stored procedure link (you should run the Enterprise Manager on the server or on a PC with enough RAM). The search for the procedure and double click on it. I think that should show you the SQL statement. There should also the report name is a comment.
Regards
Ralph -
i am looking for sql statement monitor, similar to mssql's sql profiler.
is there tool that allows the user to monitor all sql statements ran by a specific user or sql statements received by a certain schema?
statement tracer for oracle doesn't work. i dont know why.
in EM (10g), there is sessions > sql tab but it is not real time.
i tried toad but i cant easily install it in the client. any other ways of doing it?
any other solutions?
Edited by: jdm811 on Jul 19, 2011 12:59 AMV$SESSION tells you about current sessions, whether they are active (STATUS), what they are executing (SQL_ID) and other metadata available about the session (MODULE, PROGRAM, MACHINE, TERMINAL, etc).
http://download.oracle.com/docs/cd/B19306_01/server.102/b14237/dynviews_2088.htm#REFRN30223
ASH - Active Session History - contains samples of active sessions - like most dictionary views, etc the exact columns depends on version.
As mentioned above, you need to be licensed for Diagnostic Pack for this.
V$ACTIVE_SESSION_HISTORY is a buffer of active sessions sampled every second.
The buffer is flushed to DBA_HIST_ACTIVE_SESS_HISTORY but by default only 1 in 10 sessions is retained in the repository.
http://download.oracle.com/docs/cd/B19306_01/server.102/b14211/autostat.htm#i35568
If you need more data and more detail than this then you should look at enabling AUDIT:
http://download.oracle.com/docs/cd/B19306_01/server.102/b14220/security.htm#sthref2916 -
Tkprof : 0 user SQL statement in trace file
Hello!
Please explain , what is difference of tkprof-converting of user session trace file and an internal/background process ?
Get I message "0 user SQL statement in trace file" cause this difference?
In my target session I issued :
begin
sys.dbms_system.set_ev(...., .., 10046, 12, '');
end;
begin
sys.dbms_system.set_ev(..., .., 10053, 1, '');
end;
/Thanks and regards,
PavelDid you try to tkprof a 10053 trace ?
That is not going to show anything. 10053 traces are meant to be read as they are. tkprof is there to deal with 10046 traces. -
Hi currently i have a problem with the sql statement.
The field name and the table name of the sql statement will depend on what the user input. We need to find out what records is in tableA columnA and not in tableB columnB.
Below is my sql statement:
SELECT * FROM (TABLEA) INTO TABLE ITABA
WHERE (COLUMNA)
NOT IN ( SELECT (COLUMNB) FROM (TABLEB) ).
=============================================
ColumnA = "the user input the field name"
TableA = " the user input the table name"
TableB = " the user input the table name"
The problem lies at the WHERE clause. The system generate a sql error which says "unable to find the field name".Hi,
Check the following code:
For dynamic table name....
REPORT demo_select_dynamic_database .
DATA wa TYPE scarr.
DATA name(10) TYPE c VALUE 'SCARR'.
SELECT *
INTO wa
FROM (name) CLIENT SPECIFIED
WHERE mandt = '000'.
WRITE: / wa-carrid, wa-carrname.
ENDSELECT.
For dynamic field list
REPORT demo_select_dynamic_columns .
DATA: itab TYPE STANDARD TABLE OF spfli,
wa LIKE LINE OF itab.
DATA: line(72) TYPE c,
list LIKE TABLE OF line(72).
line = ' CITYFROM CITYTO '.
APPEND line TO list.
SELECT DISTINCT (list)
INTO CORRESPONDING FIELDS OF TABLE itab
FROM spfli.
IF sy-subrc EQ 0.
LOOP AT itab INTO wa.
WRITE: / wa-cityfrom, wa-cityto.
ENDLOOP.
ENDIF.
Regards,
Bhaskar -
Dynamic Tables & SQL Statements
Example:
A user types in a SQL statement, " Country = 'US' ", into a input field. i read it and copy into table A. how am i supposed to use the statement found in the table to do a comparison of data from table B? i've found a example in the abap documentation but i'm not sure how to retrieve the statement from table A. please provide sample codes so i know how it works. i'll reward handsomely if the answer's close (((((((:
Thanks (:
REPORT demo_special_tech_subroutine_1.
DATA: code TYPE TABLE OF rssource-line,
prog(8) TYPE c, msg(120) TYPE c, lin(3) TYPE c,
wrd(10) TYPE c, off(3) TYPE c.
APPEND 'PROGRAM SUBPOOL.'
TO code.
APPEND 'FORM DYN1.'
TO code.
APPEND
'WRITE / ''Hello, I am the temporary subroutine DYN1!''.' "#EC NOTEXT
TO code.
APPEND 'ENDFORM.'
TO code.
APPEND 'FORM DYN2.'
TO code.
APPEND
'WRIT / ''Hello, I am the temporary subroutine DYN2!''.' "#EC NOTEXT
TO code.
APPEND 'ENDFORM.'
TO code.
GENERATE SUBROUTINE POOL code NAME prog
MESSAGE msg
LINE lin
WORD wrd
OFFSET off.
IF sy-subrc <> 0.
WRITE: / 'Error during generation in line', lin, "#EC NOTEXT
/ msg,
/ 'Word:', wrd, 'at offset', off. "#EC NOTEXT
ELSE.
WRITE: / 'The name of the subroutine pool is', prog. "#EC NOTEXT
SKIP 2.
PERFORM dyn1 IN PROGRAM (prog).
SKIP 2.
PERFORM dyn2 IN PROGRAM (prog).
ENDIF.
Edited by: Leslie Koh on Jan 16, 2008 6:31 AMLeslie
Check below comments:
types: begin of ty_code, " Type declaration
text type char255,
end of ty_code.
data: it_code type table of ty_code, " Internal table to hold the dynamic WHERE condition
wa_code type ty_code. " Work Area
select * from <tabA> into <itabA>. " tabA is the first table which holds the SQL conditions
loop at <itabA> into <waA>.
move <waA>-cfield to wa_code-text. " In this example as presuming CFIELD has the SQL condition
append wa_code to it_code. " Am preparing an internal table with all the conditions
endloop.
* Note that if you have more than one condition you may need to add AND to starting 2nd line
* Now the conditions exists in table it_code, Use the same for next select
select * from <tabB> into <itabB>
where (it_code). " Retreiving data from table tabB with the SQL conditions from tabA
Hope this helps you understand.
Try using the above code in a temporary program, replace <tabA> with your first table that holds SQL conditions, <tabB> with the second table.
Kind Regards
Eswar -
Building up dymanic SQL statement from user entered fields on a jsp
Hi guys.
I'm building up a sql statement from a bunch of input fields that the users can type in on a .jsp page. No real problem there, but I get a problem when they type in words with ' character in it Eg: Don't, I'll etc.
This confuses the java code totally and usually results in a spectacular crash of the system.
Any ideas/thought/wild speculations would be most appreciated.
Regards
Elmar Matthee
University of Stellenbosch
South AfricaEven in pure read-only databases SQL injection can be a problem, as the user might be able to read data he should not be able to see.
You can also create dynamically created sql statements using PreparedStatements, that's not a problem, I'm doing it pretty often myself.
List<Object> arguments = new ArrayList<Object>();
StringBuilder sql = new StringBuilder("SELECT foo FROM bar WHERE");
if (someCondition) {
sql.append(" foobar = ? ");
arguments.add(someValue);
if (someOtherCondition) {
sql.append(" AND barfoo = ?");
arguments.add(someOtherValue);
// later on use setObject() to fill in the parametersObviously you'll have to handle putting the correct ANDs and ORs there, but you probably has solved that already, as it isn't any different if you don't use a PreparedStatement. -
Concatenate problem for Dynamic SQL statements
Hi Experts ,
I am building Dynamic SQL statements depending on the values which the user enters into the select option parameters .This dynamic query is passed to cl_sql_connection object for querying from another databasse
So i wrote dynamic values for one select option spointof for the database field ppointofdelivery.
loop at spointof.
CONCATENATE ' pointofdelivery between ''' spointof-low''''
' AND ''' spointof-high''''
INTO where_clause .
endloop.
The whereclause has value pointofdelivery between '123' and '124'.(if the user has entered 123 and 124 as values)
This works fine . But my problem is I have to pass the fieldnames and operator dynamically into where_clause depending on User input.
when i am writing code like the below
field_name = ' pointofdelivery '.
operator = '='.
CONCATENATE field_name operator '''spointof-low''' INTO where_clause .
the where_clause contains value
pointofdelivery = ' spointof-low '
and not pointofdelivery = ' 123 ' as expected .
Do you know why this is haapening as it is not taking the value.
Thanks
ArshadHi,
there are lot of function modules..available...to build a where clause based on the select-options..
check the FM FREE_SELECTIONS_RANGE_2_WHERE
Thanks
Naren
Maybe you are looking for
-
Dear all, We are on SAP B1 2007 PL42 and using Moving average as our cost valuation method. It doesn't have an inbuilt stock aging report, I have searched through the forum but none of the queries arebshowing the correct aging of stocks. Could anyone
-
How do I know my SDK install is working properly?
Hey guys, I have installed Java EE 5 SDK on a windows 2003 server. I am trying to figure out if it is running properly. I did tell it to run java as a service and I have a running service named SunJavaSystemAppserver9PE running. I opened a command pr
-
Vpn-framed-ip-address not working with anyconnect
Hi Folks, please help me to verify if this case is a bug or a "not valid scenario". Scenario: ASA 5520, OS 9.1, SSL VPN with Anyconnect v3.x, static ip address for the client, and RSA token authentication (all the users/pin/passwords are in the RSA s
-
I just installed the latest security update and now I cannot access iPhoto. I keep getting a message that it quit unexpectedly due to some conflict with the Scene Kit plugin. I'm using a Macbook Pro Mavericks Version 10.9.5
-
Images become pixelated after Rendering
Hi, I have a rather old version of Premiere Pro. (V 7.0) and I'm trying to put stills in my video but when I do and then render the video, all my images become pixelated. The images started out crisp and clear before rendering. I have been resizing/