EntityManagerFactory injection problems

Similar Messages

• SQL injection problem

  hi
  How can we solve SQL injection problem in JDBC ?
  this means if we have a form with text field and the user must enter a number say 4 , instead he entered "4 or true" this will concatenated with the SQL query and return all records because of "or true"....
  is there any solutions ?
  i tried PreparedStatment and it words but not alwayes
  good luck

  i clearfied this in my first post
  if u didnt got what i mean u can google it
  http://www.google.com
  thanksYou didn't gently provide keywords, like I always do, so I cannot learn from you.
  Well, with a "reproduceable example" I mean that you have to post a short but complete working code snippet which reproduces the problem. So that we can copy'n'paste it in our environment here and test/debug it ourself and then eventually confirm the SQL injection.

• Dependency Injection Problem in EJB 3.0

  Hello.
  I've been trying to get an example of java dependency injection working in JBoss 4.0.5.GA. I've installed it with EJB 3.0 support.
  The problem is that if I try to use the injected resource, I get a null pointer exception.
  The example I'm trying is a very short and simple one. Shouldn't be hard to figure out what is going wrong. Here it goes:
  [root]\src\hello\MessageServlet.java:
  package hello;
  import javax.servlet.*;
  import javax.servlet.http.*;
  import java.io.*;
  import java.util.List;
  import java.util.ListIterator;
  import javax.naming.InitialContext;
  import javax.annotation.*;
  public class MessageServlet extends HttpServlet {
       @Resource (mappedName="java:/DefaultDS")
       javax.sql.DataSource ejb30DB;
       public void init () throws ServletException {
       public void service(HttpServletRequest request, HttpServletResponse response)
                 throws IOException, ServletException {
            boolean injectedLookingGood = false;
            boolean notInjectedLookingGood = false;
            try {
                 java.sql.Connection conn = ejb30DB.getConnection();
                 conn.close();
                 injectedLookingGood = true;
            } catch(Exception e) {
                 e.printStackTrace();
            try {
                 InitialContext ic = new InitialContext();
                 javax.sql.DataSource ds = (javax.sql.DataSource)ic.lookup("java:/DefaultDS");
                 java.sql.Connection conn = ds.getConnection();
                 conn.close();
                 notInjectedLookingGood = true;
            } catch(Exception e) {
                 e.printStackTrace();
            response.setContentType("text/html");
            ServletOutputStream out = response.getOutputStream();
            out.println("<html>");
            out.println("<head><title>Hello World</title></head>");
            out.println("<body>");
            out.println("<h1>Hello World</h1>");
            out.println("<form action=\"HelloWorld\" method=\"get\">");
            out.print("Injected DataSource is looking ");
            if(injectedLookingGood) {
                 out.println("good <br>");
            else {
                 out.println("bad <br>");
            out.print("Not-Injected DataSource is looking ");
            if(notInjectedLookingGood) {
                 out.println("good <br/>");
            else {
                 out.println("bad <br/>");
            out.println("<input type=\"submit\" value=\"Test Some More\">");
            out.println("</form>");
            out.println("</body>");
            out.println("</html>");
  [root]\etc\META-INF\web.xml:
  <?xml version="1.0" encoding="UTF-8"?>
  <!DOCTYPE web-app
  PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
  "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
  <web-app>
  <display-name>HelloWorldWAR</display-name>
  <servlet>
  <display-name>HelloWorld</display-name>
  <servlet-name>HelloWorldServlet</servlet-name>
  <servlet-class>hello.MessageServlet</servlet-class>
  </servlet>
  <servlet-mapping>
  <servlet-name>HelloWorldServlet</servlet-name>
  <url-pattern>/servlet/HelloWorld</url-pattern>
  </servlet-mapping>
  </web-app>
  [root]\etc\META-INF\application.xml:
  <?xml version="1.0" encoding="UTF-8"?>
  <application xmlns="http://java.sun.com/xml/ns/j2ee" version="1.4"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://java.sun.com /xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/application_1_4.xsd">
  <display-name>HelloWorld</display-name>
  <description>Application description</description>
  <module>
  <web>
  <web-uri>web-ejb3.war</web-uri>
  <context-root>HelloWorld</context-root>
  </web>
  </module>
  </application>
  [root]\build.xml:
  <project name="HelloWorld" default="all" basedir=".">
  <!-- Name of project and version -->
  <property name="proj.name" value="HelloWorld"/>
  <property name="proj.version" value="1.0"/>
  <!-- Global properties for thid build -->
  <property name="src.dir" value="${basedir}/src"/>
  <property name="build.dir" value="${basedir}/bin"/>
  <property name="lib.dir" value="${basedir}/lib"/>
  <property name="build.classes.dir" value="${build.dir}/classes"/>
  <property name="build.jar.dir" value="${build.dir}/jar"/>
  <property name="src.etc.dir" value="${basedir}/etc"/>
  <property name="meta-inf.dir" value="${src.etc.dir}/META-INF"/>
  <!-- The build classpath -->
  <path id="build.classpath">
  <fileset dir="${lib.dir}">
  <include name="**/*.jar"/>
  <include name="**/*.zip"/>
  </fileset>
  </path>
  <!-- Useful shortcuts -->
  <patternset id="meta.files">
  <include name="**/*.xml" />
  <include name="**/*.properties"/>
  </patternset>
  <target name="prepare">
  <mkdir dir="${build.dir}"/>
  <mkdir dir="${build.classes.dir}"/>
  <mkdir dir="${build.jar.dir}"/>
  </target>
  <target name="compile" depends="prepare">
  <javac destdir="${build.classes.dir}"
  classpathref="build.classpath"
  debug="on">
  <src path="${src.dir}"/>
  </javac>
  </target>
  <target name="package-web" depends="compile">
  <war warfile="${build.dir}/jar/web-ejb3.war"
  webxml="${meta-inf.dir}/web.xml">
  <classes dir="${build.dir}/classes">
  <include name="**/*Servlet.class"/>
  </classes>
  </war>
  </target>
  <!-- Creates an ear file containing the web client war. -->
  <target name="assemble-app">
  <ear destfile="${build.jar.dir}/HelloWorld.ear" appxml="${meta-inf.dir}/application.xml">
  <fileset dir="${build.dir}/jar"
  includes="*.war"/>
  </ear>
  </target>
  <target name="clean">
  <delete dir="${build.dir}" />
  </target>
  <target name="all">
  <antcall target="clean" />
  <antcall target="package-web" />
  <antcall target="assemble-app" />
  </target>
  </project>
  Any help would be apreciated.
  Thanks in advance,
  Hugo Oliveira
  [email protected]

  Hello Ken.
  I gess dependency injection is unnavailable in servlets as of this moment. I conducted another test using a session bean that injects and tests the DataSource and a servlet calling the session bean via a refference obtained from InitialContext. It worked OK.
  Here's the code:
  [root]/src/hello/MessageHandler.java:
  package hello;
  public interface MessageHandler {
       public boolean testInjection();
  [root]/src/hello/MessageHandlerBean.java:
  package hello;
  import javax.ejb.Stateless;
  import javax.persistence.*;
  import java.util.List;
  import javax.annotation.*;
  @Stateless
  public class MessageHandlerBean implements MessageHandler {
       @Resource (mappedName="java:/DefaultDS")
       private javax.sql.DataSource ds;     
       public boolean testInjection() {
            try {
                 java.sql.Connection conn = ds.getConnection();
                 conn.close();
                 return true;
            } catch(Exception e) {
                 e.printStackTrace();
            return false;
  [root]/src/hello/MessageServlet.java:
  package hello;
  import javax.servlet.*;
  import javax.servlet.http.*;
  import java.io.*;
  import java.util.List;
  import java.util.ListIterator;
  import javax.naming.InitialContext;
  import javax.annotation.*;
  public class MessageServlet extends HttpServlet {
       public void init () throws ServletException {
       public void service(HttpServletRequest request, HttpServletResponse response)
                 throws IOException, ServletException {
            boolean injectedLookingGood = false;
            try {
                 InitialContext ic = new InitialContext();
                 MessageHandler mh = (MessageHandler)ic.lookup("HelloWorld/MessageHandlerBean/local");
                 injectedLookingGood = mh.testInjection();
            } catch(Exception e) {
                 e.printStackTrace();
            response.setContentType("text/html");
            ServletOutputStream out = response.getOutputStream();
            out.println("<html>");
            out.println("<head><title>Hello World</title></head>");
            out.println("<body>");
            out.println("<h1>Hello World</h1>");
            out.println("<form action=\"HelloWorld\" method=\"get\">");
            out.print("Injected DataSource is looking ");
            if(injectedLookingGood) {
                 out.println("good <br>");
            else {
                 out.println("bad <br>");
            out.println("<input type=\"submit\" value=\"Test Some More\">");
            out.println("</form>");
            out.println("</body>");
            out.println("</html>");
  [root]/etc/META-INF/application.xml:
  <?xml version="1.0" encoding="UTF-8"?>
  <application xmlns="http://java.sun.com/xml/ns/j2ee" version="1.4"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://java.sun.com /xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/application_1_4.xsd">
  <display-name>HelloWorld</display-name>
  <description>Application description</description>
  <module>
  <ejb>HelloWorld.ejb3</ejb>
  </module>
  <module>
  <web>
  <web-uri>web-ejb3.war</web-uri>
  <context-root>HelloWorld</context-root>
  </web>
  </module>
  </application>
  [root]/etc/META-INF/web.xml:
  <?xml version="1.0" encoding="UTF-8"?>
  <!DOCTYPE web-app
  PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
  "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
  <web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
  <display-name>HelloWorldWAR</display-name>
  <servlet>
  <display-name>HelloWorld</display-name>
  <servlet-name>HelloWorldServlet</servlet-name>
  <servlet-class>hello.MessageServlet</servlet-class>
  </servlet>
  <servlet-mapping>
  <servlet-name>HelloWorldServlet</servlet-name>
  <url-pattern>/servlet/HelloWorld</url-pattern>
  </servlet-mapping>
  </web-app>
  [root]/build.xml:
  <project name="HelloWorld" default="all" basedir=".">
  <!-- Name of project and version -->
  <property name="proj.name" value="HelloWorld"/>
  <property name="proj.version" value="1.0"/>
  <!-- Global properties for thid build -->
  <property name="src.dir" value="${basedir}/src"/>
  <property name="build.dir" value="${basedir}/bin"/>
  <property name="lib.dir" value="${basedir}/lib"/>
  <property name="build.classes.dir" value="${build.dir}/classes"/>
  <property name="build.jar.dir" value="${build.dir}/jar"/>
  <property name="src.etc.dir" value="${basedir}/etc"/>
  <property name="meta-inf.dir" value="${src.etc.dir}/META-INF"/>
  <!-- The build classpath -->
  <path id="build.classpath">
  <fileset dir="${lib.dir}">
  <include name="**/*.jar"/>
  <include name="**/*.zip"/>
  </fileset>
  </path>
  <!-- Useful shortcuts -->
  <patternset id="meta.files">
  <include name="**/*.xml" />
  <include name="**/*.properties"/>
  </patternset>
  <target name="prepare">
  <mkdir dir="${build.dir}"/>
  <mkdir dir="${build.classes.dir}"/>
  <mkdir dir="${build.jar.dir}"/>
  </target>
  <target name="compile" depends="prepare">
  <javac destdir="${build.classes.dir}"
  classpathref="build.classpath"
  debug="on">
  <src path="${src.dir}"/>
  </javac>
  </target>
  <target name="package-ejb" depends="compile">
  <jar jarfile="${build.jar.dir}/HelloWorld.ejb3">
  <fileset dir="${build.classes.dir}">
  <include name="**/*.class"/>
  </fileset>
  <!--
       <metainf dir="${meta-inf.dir}">
  <include name="persistence.xml"/>
  </metainf>
  -->
  </jar>
  </target>
  <target name="package-web" depends="compile">
  <war warfile="${build.dir}/jar/web-ejb3.war"
  webxml="${meta-inf.dir}/web.xml">
  <!--
  <fileset dir="web">
  <include name="**/*"/>
  </fileset>
  -->
  <!--
  <webinf dir="dd/web">
  <include name="jboss-web.xml"/>
  </webinf>
  -->
  <classes dir="${build.dir}/classes">
  <include name="**/*Servlet.class"/>
  </classes>
  </war>
  </target>
  <!-- Creates an ear file containing the ejb jars and the web client war. -->
  <target name="assemble-app">
  <ear destfile="${build.jar.dir}/HelloWorld.ear" appxml="${meta-inf.dir}/application.xml">
  <fileset dir="${build.dir}/jar"
  includes="*.ejb3,*.war"/>
  </ear>
  <!-- <delete file="${build.dir}/jar/web-ejb3.war"/>
  <delete dir="${build.dir}/classes"/> -->
  </target>
  <target name="clean">
  <delete dir="${build.dir}" />
  </target>
  <target name="all">
  <antcall target="clean" />
  <antcall target="package-ejb" />
  <antcall target="package-web" />
  <antcall target="assemble-app" />
  </target>
  </project>
  Thanks,
  Hugo Oliveira
  [email protected]

• Injection Problem in a JSP

  Hello,
  I created an enterprise application (with Netbeans 5.5 20060310) with Entity beans and stateless session bean (EJB3) -> everything seems fine, the tables are created when I deploy (on latest Glassfih).
  Then I created in the webmodule a small JSP to test my session bean.
  I wanted to use dependency injection so I added
  <%!
     @EJB UserLocal userManager;  
  %>to the page where UserLocal is the local business interface of my session bean.
  I manage to display the JSP page correctly but the userManager is null.
  Do you have any idea of what is wrong ?
  I do not understand the injection mechanism... do you have any reference?
  Also what would be the jndi name of my bean (it seems to me that it depends in the AS...) if I have no other choice but use a JNDI lookup ?
  Many thanks,
  Sebastien

  When trying to inject the EJB in a servlet I obtain the following exception:
  com.sun.enterprise.InjectionException: Exception attempting to inject Unresolved Ejb-Ref
  com.diviosoft.sp.web.userServlet/userManager@jndi: com.diviosoft.sp.logic.UserLocal@[email protected]@Session@nullinto class com.diviosoft.sp.web.userServletI tried to give a name to the EJB and use it when injecting, without success
  ... any hint appreciated
  Sebsatien

• SQL Injection and variable substitutions

  Hello helpful forum, I'm trying to understand what really goes on "behind" the scenes
  with the variable substitutions in order to protect from sql injections.
  I'm using apex 3.0.0.00.20
  The trickiest component seems to be a Report of type "pl/sql returning sql", since
  multiple dynamic sql interpretations are done there.
  consider the following innocent looking disaster:
  DECLARE
  l_out VARCHAR2(2000);
  BEGIN
  l_out := 'select * from test_injection t where t.name like ''%' || :NAME || '%''';
  RETURN l_out;
  END;
  if NAME is a single quote the report will return:
  failed to parse SQL query: ORA-00911: invalid character
  which hints to the fact that NAME is not escaped, and you are in fact able to access db functions
  as in: '||lower('S')||'
  I also tried to put there a function that runs in a autonomous transaction to log its calls, and
  I see that it's called five times for each request.
  consider now the similar solution (notice the two single quotes):
  DECLARE
  l_out VARCHAR2(2000);
  BEGIN
  l_out := 'select * from test_injection t where t.name like ''%'' || :NAME || ''%''';
  RETURN l_out;
  END;
  with this second example nothing of the above is possible.
  So my theory (please confirm it or refute it) is that there is a first variable substitution done
  at the pl/sql level (and in the second case :NAME is just a string so nothing is substituted).
  Then the dynamic sql is executed and it returns the following string:
  select * from test_injection t where t.name like '%' || :NAME || '%'
  now another substitution is done (at an "APEX" level) and then query is finally executed to return
  the rows to the report.
  The tricky point seems to be that the first substitution doesn't escape the variable (hence the error
  with the single quote), while the second substitution does.
  Please let me know if this makes sense and what are the proper guidelines to avoid sql injection with
  the different kinds of reports and components (SQL, pl/sql returning sql, processes, ...)
  Thanks

  Giovanni,
  You should build report regions like this using the second method so that all bind variables (colon followed by name) appear in the resultant varchar2 variable, l_out in your example, which will then be parsed as the report query. This addresses not only the SQL injection problem but the shared-pool friendliness problem.
  Scott

• Cfqueryparam problem

  While cleaning up some sql injection problems, I found I had
  to rewrite how the inserts were working.
  I do not know in advance what fields need to be populated for
  inserts so I mad a generic function
  to make my inserts.
  <cffunction name="insertIntoTable" access="private"
  returntype="void">
  <cfargument name="table" type="string" required="yes">
  <cfargument name="datasource" type="string"
  required="yes">
  <cfargument name="keyValSet" type="struct"
  required="yes">
  <cfset var keyList = structKeyList(keyValSet)>
  <cfset var curKey = "">
  <cfset var curVal = "">
  <cfset var comma = "">
  <cfset var insertIntoTable = "">
  <cfquery datasource="#datasource#"
  name="insertIntoTable">
  insert into #table# (#keyList#)
  values (<cfloop list="#keyList#"
  index="curKey">#comma#<cfset comma = ","><cfset curVal
  = trim(keyValSet[curKey])><cfif len(curVal) eq
  0><cfqueryparam null="yes"><cfelse><cfqueryparam
  value="#curVal#"></cfif></cfloop>)
  </cfquery>
  <cfreturn>
  </cffunction>
  I know before this call is made that the table names and the
  keylist is clean.
  I found that I could not simply use a <cfqueryparam
  list="yes" ...> as some of
  the entries may be null.
  My current problem is when someone enters Joe's Crab Shack
  into a form field
  the corresponding data record results in Joe''s Crab Shack.
  I found a hotfix for CF MX 6.1 with something that sounded
  similar, however
  we are running CF 7.02 on redhat. The db server is an old MS
  SQL Server (8.00).

  It appears that the two single quotes problem occurs only
  when cfloop is used, which looks very similar to one of the
  problems the hotfix for CF MX 6.1 had.
  Has anyone else come across this problem?

• Input multiplexer settling problem

  NI Multifunction Cards have often a multiplexer before the A/D converter, which allows scanning multiple channels. NI observes that the settling time of this multiplexer may cause problems, especially when an input signal has a considerably higher amplitude than the nearby signal. Here the setlling time does not allow fast scanning because this results in "noise" on the smaller signal due to "memory" of the large one.
  Is there a known solution to this problem ?
  I tried to keep source impedances around 1 KOhm as suggested by NI, but this did not yield to a complete solution, rather to a slight noise reduction.
  Is there a known way to use multifunction NI cards for input scanning with no inherent noise channel-by-channel ?
  Thanks a lot
  for attention,
  Marco
  Marco Sartore
  ElbaTech srl
  Via Roma, 1 57030 Marciana (LI)
  Italy

  Marco,
  There are a few solutions that can help with the charge injection problem. The optimal solution is to decrease the impedance of your sources. The smallest source impedance is ideal. So, if you have sources at or above 1 Kohm, it would be good to use a unity-gain buffer to decrease the source impedance.
  Other solutions involve increasing the inter-channel delay of scanning and/or grounding channels in between channels to allow the multiplexer to discharge. I have linked a couple documents below that go over charge injection in detail and the viable solutions.
  How Do I Create a Buffer to Decrease the Source Impedance of My Analog Input Signal?
  http://digital.ni.com/public.nsf/websearch/CF83426BC3AC514A86256C10005A4771?OpenDocument
  Using a Unity G
  ain Buffer (Voltage Follower) with a DAQ Device
  http://zone.ni.com/devzone/conceptd.nsf/webmain/CD57A73721E0612586256BAE0055CDD9?opendocument
  Regards,
  Todd D.

• Injecting EntityManager

  Hi,
  I tried to get the entity manager injected into my servlet context listener class but with no success.
  I am using JPA with Toplink and deploying on Sun Application Server.
  The servlet is a simple servlet which has a field of type EntityManager and with @PersistenceContext annotation.
  I also tried to get the EntityManagerFactory injected. Even it is null.
  Is it at all possible to inject EntityManager into a normal servlet?
  Please help.
  Thanks in advance.
  Regards,
  Anand.

  Hi,
  Try verifying that all configuration details are set for OC4J.
  You may refer the to following end-to-end quickstart enterprise application tutorial that contains the same @PersistenceContext injection on a stateless session ejb bean.
  http://wiki.eclipse.org/EclipseLink/Examples/JPA/OC4J_Web_Tutorial
  specifically
  http://wiki.eclipse.org/EclipseLink/Examples/JPA/OC4J_Web_Tutorial#Perform_a_JPQL_query
  and code
  http://dev.eclipse.org/svnroot/rt/org.eclipse.persistence/trunk/examples/org.eclipse.persistence.example.jpa.server.oc4j.enterpriseEJB/ejbModule/org/eclipse/persistence/example/jpa/server/business/ApplicationService.java
  If configurations match between both apps, then we can triage further.
  thank you
  /michael
  www.eclipselink.org

• CDI Fails when deployed twice from OEPE 12c to WebLogic 12c

  Hi,
  First when I use CDI on WebLogic 12c it works the first time without any problems , First I had to do this ( From Steve Button ) else I get some inject problems
  Just as an out there kind of thought, OEPE does use the split-directory model for deployment by default -- perhaps try adjusting it to use the exploded archive model instead, just as a test to see if it removes the error?
  Right click the server config and select Properties > WebLogic > Publishing > Publish as exploded archive
  then it works once , when I deploy it twice then the Named beans are not found. ( I use a empty beans.xml in the web-inf )
  I need to restart the wls 12c then it works. Same project with OEPE 12c and glassfish works fine.
  thanks

  Arun,
  Do you see the application status active in the Admin console?
  Are you testing the web application by typing the complete URL in the browser that includes the name of the webpage including the context root , ipaddress/hostname and port number of Server..?
  404 indicates application doesn't exist.
  Please share the URL you are testing.
  Please check the server log if you found any deployment issues when deploying your application?
  Thanks,
  Vijaya

• ANN: Updated extensions for DW 8.0.2

  Adobe released the Dreamweaver 8.0.2 updater about a month
  ago, and since
  that time I have been working furiously on getting my
  incompatible
  extensions updated to work around the bugs introduced by the
  updater. In
  short, the Dreamweaver recordset functionality for previewing
  recordsets and
  showing in the Bindings panel is broken with any kind of
  dynamic SQL code
  (such as dynamic sorting or dynamic SQL). Thanks to the good
  folks at
  Interakt (www.interaktonline.com), who provided me with some
  alternate
  Recordset functionality, I was able to make the extensions
  compatible. The
  DW 8.0.2 updater fixes some SQL injection problems and should
  be applied to
  your copy of Dreamweaver 8. The DW 8.0.2 updater can be found
  at the Adobe
  web site:
  http://www.adobe.com/support/dreamweaver/downloads_updaters.html
  The affected extensions that have been updated are the
  following:
  Dynamic Search Suite for ColdFusion
  Dynamic Search Suite for PHP
  Dynamic Search Suite for ASP/VB
  Sort Repeat Region (ASP/VB, ColdFusion, and PHP versions)
  If you have purchased any of these extensions in the past and
  have your
  download information, you can download the free updates by
  logging in at
  http://www.tom-muck.com/extensions/customers/login.cfm
  and downloading the
  latest versions. Please note that if you do not have the
  Dreamweaver 8.0.2
  updater, no extension updates are necessary. The new updated
  extensions will
  work in Dreamweaver 6, 7, and 8.
  The extensions NOT updated in this round of fixes are the
  following:
  Dynamic Search Suite for ASP/JS
  Sort Repeat Region (JSP and ASP/JS versions.)
  Other extensions available at
  http://www.tom-muck.com/extensions/
  are not
  affected by the updater. If you run into any problems using
  any of my
  extensions, drop me a line using my contact form.
  Tom Muck
  co-author Dreamweaver MX 2004: The Complete Reference
  http://www.tom-muck.com/
  Cartweaver Development Team
  http://www.cartweaver.com
  Extending Knowledge Daily
  http://www.communitymx.com/

  Adobe released the Dreamweaver 8.0.2 updater about a month
  ago, and since
  that time I have been working furiously on getting my
  incompatible
  extensions updated to work around the bugs introduced by the
  updater. In
  short, the Dreamweaver recordset functionality for previewing
  recordsets and
  showing in the Bindings panel is broken with any kind of
  dynamic SQL code
  (such as dynamic sorting or dynamic SQL). Thanks to the good
  folks at
  Interakt (www.interaktonline.com), who provided me with some
  alternate
  Recordset functionality, I was able to make the extensions
  compatible. The
  DW 8.0.2 updater fixes some SQL injection problems and should
  be applied to
  your copy of Dreamweaver 8. The DW 8.0.2 updater can be found
  at the Adobe
  web site:
  http://www.adobe.com/support/dreamweaver/downloads_updaters.html
  The affected extensions that have been updated are the
  following:
  Dynamic Search Suite for ColdFusion
  Dynamic Search Suite for PHP
  Dynamic Search Suite for ASP/VB
  Sort Repeat Region (ASP/VB, ColdFusion, and PHP versions)
  If you have purchased any of these extensions in the past and
  have your
  download information, you can download the free updates by
  logging in at
  http://www.tom-muck.com/extensions/customers/login.cfm
  and downloading the
  latest versions. Please note that if you do not have the
  Dreamweaver 8.0.2
  updater, no extension updates are necessary. The new updated
  extensions will
  work in Dreamweaver 6, 7, and 8.
  The extensions NOT updated in this round of fixes are the
  following:
  Dynamic Search Suite for ASP/JS
  Sort Repeat Region (JSP and ASP/JS versions.)
  Other extensions available at
  http://www.tom-muck.com/extensions/
  are not
  affected by the updater. If you run into any problems using
  any of my
  extensions, drop me a line using my contact form.
  Tom Muck
  co-author Dreamweaver MX 2004: The Complete Reference
  http://www.tom-muck.com/
  Cartweaver Development Team
  http://www.cartweaver.com
  Extending Knowledge Daily
  http://www.communitymx.com/

• Need popup window from cfform to go to PayPal using their button

  I have a cfform page (ColdFusion 8) that is embedded in an iframe in my standard html webpage. (Embedded so that I still have the same outer "envelope" as the rest of the pages; nav bars, etc.) I have the form post back to itself in order to check for injection problems, validation beyond basic form validation, etc, then insert form entries into a database. I am trying to then pass the visitor on to PayPal for them to make the payment. This could be either by way of a popup window or a redirect. The problem is that if I just put the PayPal button in my .cfm page it doesn't work. Also, it seems I need to get it out of the iframe context. Of course it would be nice to go the other way (which I have also tried) and have the potential donor first go to PayPal, enter their info, and then have them redirected back to my page. I realize I could then get some of the info I need from them (name, email, etc) in the PayPal IPN return, but there are 2 problems with this. 1) I have to rely on them clicking the "go back to ....." link in PayPal and 2) I still need other info that PayPal doesn;t pick up, like what department category they want their donation to go to, etc. which I can get up front from them if I go the first route mentioned.
  I have looked into cfhttp and cflocation tags. I don't seem to be finding any clearcut answers!
  Thanks for any help in advance!

  This link may help.
  http://www.danvega.org/blog/index.cfm/2008/3/4/ColdFusion-8-Grid-Context-Menu-Part-II

• Version 8.02 recordset changes !!!!!

  As i understand it - In version 8.02 the recordsets are
  created differently
  now! WHY??????
  Something to do with SQL injection problems.
  The problem is i can't get my sql to work now.
  I can't find any info on how to get my code to work now.
  I have this code below which uses INNER JOINS from an Access
  database.
  What i normally do is create the SQL in Access and then copy
  this into the
  recordset - worked fine.
  Now my code below doesn't work and doesn't show the recordset
  in DW.
  Can anyone help or advise me on how to get this working
  please ???
  Thanks
  Andy
  <%
  Dim RSelectrical__MMColParam
  RSelectrical__MMColParam = "0"
  If (Request.QueryString("Category") <> "") Then
  RSelectrical__MMColParam = Request.QueryString("Category")
  End If
  %>
  <%
  Dim RSelectrical
  Dim RSelectrical_cmd
  Dim RSelectrical_numRows
  Set RSelectrical_cmd = Server.CreateObject ("ADODB.Command")
  RSelectrical_cmd.ActiveConnection = MM_shoppingcart_STRING
  RSelectrical_cmd.CommandText = "SELECT Categories.Category,
  Products.ProductID, Products.CategoryID,
  Products.ManufacturerID,
  Products.ProductCode, Products.Product, Products.Description,
  Products.Image, Products.Price, Products.Break1,
  Products.Price2,
  Products.Break2, Products.Price3, Products.Break3,
  Products.InStock,
  Products.TimeKey,Products.Special FROM Categories INNER JOIN
  Products ON
  Categories.CategoryID = Products.CategoryID
  WHERE Products.CategoryID = ? ORDER BY Price ASC"
  RSelectrical_cmd.Prepared = true
  RSelectrical_cmd.Parameters.Append
  RSelectrical_cmd.CreateParameter("param1", 5, 1, -1,
  RSelectrical__MMColParam) ' adDouble
  Set RSelectrical = RSelectrical_cmd.Execute
  RSelectrical_numRows = 0
  %>

  PS
  I could uninstall DW and then re-install version 8, but this
  would onll
  cause me problems in the future and at some point i would
  have to upgrade
  anyway.
  Thanks
  Andy
  "Andy" <[email protected]> wrote in message
  news:[email protected]...
  > As i understand it - In version 8.02 the recordsets are
  created
  > differently now! WHY??????
  > Something to do with SQL injection problems.
  >
  > The problem is i can't get my sql to work now.
  > I can't find any info on how to get my code to work now.
  >
  > I have this code below which uses INNER JOINS from an
  Access database.
  > What i normally do is create the SQL in Access and then
  copy this into the
  > recordset - worked fine.
  >
  > Now my code below doesn't work and doesn't show the
  recordset in DW.
  >
  > Can anyone help or advise me on how to get this working
  please ???
  >
  > Thanks
  > Andy
  >
  > <%
  > Dim RSelectrical__MMColParam
  > RSelectrical__MMColParam = "0"
  > If (Request.QueryString("Category") <> "") Then
  > RSelectrical__MMColParam =
  Request.QueryString("Category")
  > End If
  > %>
  > <%
  > Dim RSelectrical
  > Dim RSelectrical_cmd
  > Dim RSelectrical_numRows
  >
  > Set RSelectrical_cmd = Server.CreateObject
  ("ADODB.Command")
  > RSelectrical_cmd.ActiveConnection =
  MM_shoppingcart_STRING
  > RSelectrical_cmd.CommandText = "SELECT
  Categories.Category,
  > Products.ProductID, Products.CategoryID,
  Products.ManufacturerID,
  > Products.ProductCode, Products.Product,
  Products.Description,
  > Products.Image, Products.Price, Products.Break1,
  Products.Price2,
  > Products.Break2, Products.Price3, Products.Break3,
  Products.InStock,
  > Products.TimeKey,Products.Special FROM Categories INNER
  JOIN Products ON
  > Categories.CategoryID = Products.CategoryID
  > WHERE Products.CategoryID = ? ORDER BY Price ASC"
  > RSelectrical_cmd.Prepared = true
  > RSelectrical_cmd.Parameters.Append
  > RSelectrical_cmd.CreateParameter("param1", 5, 1, -1,
  > RSelectrical__MMColParam) ' adDouble
  >
  > Set RSelectrical = RSelectrical_cmd.Execute
  > RSelectrical_numRows = 0
  > %>
  >

• PHP, Oracle and Security

  I am a systems Administrator who's company has cotnracted out to a web developer to design a website for our cutomers to purchase our products and have a page that sugggests new products that might be interested in. We run an Oracle DB and build our own in house applicatiosn for access to this Oracle DB using .NET. We currently have our own application service that is built in .NET that allows our current website built in .NET to only access certain calls for data from Oracle for security purposes. Our website resides in our DMZ and our DB rsides in our LAN. What is the best pracitce without putting an Oracle client on the webserver for PHP to talk to Oracle? They want us to do a massive extract of user data onto the webserver to a mysql DB using SOAP. Which seems to me to be even less secure than what we have now. Thanks for your help.

  To use one of the DB extensions, PHP needs access to local DB
  libraries such as Oracle Instant Client or the MySQL client (or PHP's
  inbuilt MySQL access code in the mysqlnd extension). This is
  equivalent to needing ODP.NET.
  What kinds of "calls" are you restricting in .NET? Because PHP is
  open source, you could modify the OCI8 extension to restrict certain
  statements or operations. But using DB-side access control seems a
  better way to go, perhaps in conjunction with stored procedures.
  The web company is probably more familiar with MySQL, but duplicating
  data from Oracle will expose more "surface area" for hackers and
  require two DB skill sets to secure and maintain.
  Make sure the web company uses bind variables - even with MySQL - to
  help prevent SQL Injection problems.
  An alternative could be for PHP to access the DB via web services
  http://download.oracle.com/docs/cd/E11882_01/appdev.112/e10492/xdb_web_services.htm#CHDDBCHB

• CS4 Forms, user to enter an e-mail address to sent the form to

  Is it possible for a user to complete an on line form in the members only section of my web site and then enter an e-mail address to send the form to.
  It appears most forms have a default e-mail address that the form is sent to when the user clicks the submit button, i would like the user to enter any e-mail address they like to send the information to as well as the default e-mail address.
  I am using windows 7, Dreamweaver CS4 and ASP server pages to have members logon to the members only section.
  Thanks for any assistance
  Regards
  John

  Is it possible for a user to complete an on line form in the members only section of my web site and then enter an e-mail address to send the form to.
  Sure.
  It appears most forms have a default e-mail address that the form is sent to when the user clicks the submit button
  Why do you think so?  This is not the case.
  Just process the form, and use the contents of the field in which the visitor has placed the desired target email address (properly sanitized, of course to avoid email injection problems) as the "To:" address in your call to the mailserver.

• URGENT : Webserver constantly hacked!

  Hi there!
  We are a public school and our webservices run on a OSX Server (10.4.10, latest updates done) and serve pages using PHP and mySQL. Due to an SQL Inject problem I can't seem to be able to trace, our website gets constantly hacked by some turkish kiddies who think this is funny, where this always represents a 6 hours job for us to clean the mess up ...
  Anyway, it seems (I could oversee by chance an action) that they are using the c99.php script which they inject inside my directory. As we use a CMS, I can't simply writeprotect the directory, thus eliminating these injects. Trying to update the weakpoint seems to be impossible as IMHO this means updating PHP and apache, which is not recommended to do manuallly (we already had trouble with manual procedures and I'm not willing to try again).
  Now : Does anyone have the same/similar trouble with these hacks? If so, could it be possible to share these experiences with me? What did you guy do? Would an update to Leopard-Server outrun this? If you are afraid to post, please contact me via EMail, although I think that this topic needs to be discussed openly!
  ANY help will be GREATLY appreciated!
  Cheers!
  marc.

  The c99.php exploit uses PHP's 'remote file includes' ability to embed a remote page within your page.
  The obvious solution would be to disable that feature. It is an inherent security risk, as you've found, but you'll need to check all other pages on your server to see whether they use the include function.
  Your simplest solution may just be to deny remote file includes:
  http://uk3.php.net/manual/en/ref.filesystem.php#ini.allow-url-fopen
  The other thing to check is how they're uploading files - does your site allow users to upload content?
  If so then you may need to implement some kind of filter that sanity-checks pages as they're uploaded. Without knowing your environment it's impossible to tell the best way to do that.
  If you don't expect users to be able to upload files, then you need to find out how they're doing that. Are they logging in using some account? If so, revoke that account's privileges. If they shouldn't be using that account (and if they're in Turkey it seems unlikely), then they may have compromised that account, e.g. by guessing the password), so you should check the access logs for any suspicious activity.
  You might also want to consider whether or not you expect to get any legitimate traffic from Turkey and just block their IP address from accessing your server at all. It's a poor solution since they can often proxy around any IP address blocks, but it might be worth a start, at least to let them know you're onto them.