Escape & in plsql?

Hi,
I'd like to do this:
sql> exec sbl_hi.testsearch_ext('I. & E. Transfer BV','A');but the & is regarded as a definition. How do I escape this?
Cheers,
L.

Forget it, found it myself, should have known this.
SET ESCAPE \
L.

Similar Messages

Equivalent of JavaScript escape function in PLSQL

Hi,
Is there any equivalent of JavaScript's "escape()" function in PlSql for web development? cos I found that whenever I have links generated in stored procedure with text that has space, single quote and so on will become invalid url syntax when user clicks on the hyperlink.
So I hope to convert the text to valid syntax while generating the link.
Please advise.
Thank you so much.

Hi,
CREATE OR REPLACE FUNCTION UNESCAPE_F
(P_TEXT IN VARCHAR2 := null) RETURN VARCHAR2 IS
V_HEX2 VARCHAR2(1);
V_CHAR VARCHAR2(1);
V_TEXT VARCHAR2(4000);
V_RETURN VARCHAR2(4000) := NULL;
V_HEX1 VARCHAR2(1);
BEGIN
IF p_text IS NULL THEN
v_return := NULL;
ELSE
v_text := p_text;
WHILE INSTR(v_text, '%') > 0 LOOP
v_return := v_return | | SUBSTR(v_text, 1, INSTR(v_text, '%') - 1);
v_text := SUBSTR(v_text, INSTR(v_text, '%') + 1);
v_hex1 := SUBSTR(v_text, 1, 1);
v_hex2 := SUBSTR(v_text, 2, 1);
v_text := SUBSTR(v_text, 3);
SELECT
CHR(
(DECODE(v_hex1,'0',0,'1',1,'2',2,'3',3,'4',4,'5',5,'6',6,'7',7,'8',8,'9',9,'A',10,'B',11,'C',12,'D',13,'E',14,'F',15,0) * 16) +
DECODE(v_hex2,'0',0,'1',1,'2',2,'3',3,'4',4,'5',5,'6',6,'7',7,'8',8,'9',9,'A',10,'B',11,'C',12,'D',13,'E',14,'F',15,0) )
INTO v_char
FROM dual;
v_return := v_return | | v_char;
END LOOP;
v_return := v_return | | v_text;
END IF;
RETURN(v_return);
END UNESCAPE_F;
Regards Michael

SQL Injections and XSS - Escaping Special Characters

Hi, hope someone can help in regards to security and SQL Injections and XSS.
We are using APEX 4.0.2 on Oracle 11.2.0.2.
1. It seems the special characters we have entered into normal 'Text Items' 'Text Areas' etc are not being escaped (ie <,>,&, '). If I enter them into the field (ie Surname) they are saved as is into session state and the database - no escaping. Am I missing something such as an environment setting as I thought the "smart" oracle escaping rules would cater for this.
Surely I don't have to manually do each of then.
Just to confirm, am I looking in the correct places to assess if the characters are escaped or not - ie should they show as '&<>' in session state and/or the database ?
2. Also, for the Oracle procedures such as '‘wwv_flow.accept’ , ‘wwv_flow.show’ , 'wwv_flow_utilities.show_as_popup_calendar' - do these escape special characters. If not, then they must be vulnerable to SQL Injections attacks.
Thx
Nigel

Recx Ltd wrote:
Just to pitch in, escaping values internally (either in the database or session state) is extremely problematic. Data searches, string comparison, reporting and double escaping are all areas which suffer badly when you do this.
Stripping characters on input can also cause problems if not considered within the context of the application. Names such as "O'Niel", statistical output such as "n < 300", fields containing deliberate HTML markup can be annoying to debug. In certain situations stripping is totally ineffective and may still lead to cross-site scripting.
Apex applications that share the database with other applications will also be affected.
The database should contain 'raw' unfettered data and output should be escaped properly, as Joel said, at render time. Either with Apex attributes or using PLSQL functions such as htf.escape_sc() as and when required.Do not needlessly resurrect old threads. After a couple of months watches expire and the original posters are not alerted to the presence of your follow-up.
Shameless plug: If you are in the game of needing to produce secure Apex code, you should get in touch.This crosses the line into spam: it violates the OTN Terms of Use—see 6(j).
Promotional posts like this are liable to be removed by the moderators.

PLSQL changing XML file content

Hello Experts,
I have a task to do.
I have to replace special characters from an XML file placed on the server through PLSQL.
So that i created a plsql procedure.
PROCEDURE REMOVE_SPECIAL_CHARS (p_file_name IN VARCHAR2)
AS
l_tmp_clob CLOB DEFAULT EMPTY_CLOB();
l_bfile BFILE NULL;
l_dest_offset INTEGER := 1;
l_src_offset INTEGER := 1;
l_outfile UTL_FILE.file_type;
lang_ctx NUMBER := DBMS_LOB.default_lang_ctx;
warning NUMBER NULL;
l_dest_file VARCHAR2(300) NULL;
BEGIN
mob_util_pck.log_write ('I','Inside REMOVE_SPECIAL_CHARS procedure(+)');
l_dest_file:=SUBSTR (p_file_name, (INSTR (p_file_name, '/', -1, 1))+1);
mob_util_pck.log_write ('I','Following File will be modified: '||l_dest_file);
 l_bfile := BFILENAME ('MOBSEPAOUT', l_dest_file);
 DBMS_LOB.OPEN (l_bfile, DBMS_LOB.file_readonly);
 DBMS_LOB.createtemporary (l_tmp_clob, TRUE);
 DBMS_LOB.loadclobfromfile (dest_lob => l_tmp_clob
 , src_bfile => l_bfile
 , amount => DBMS_LOB.getlength (l_bfile)
 , dest_offset => l_dest_offset
 , src_offset => l_src_offset
 , bfile_csid => DBMS_LOB.default_csid
 , lang_context => lang_ctx
 , warning => warning
 DBMS_LOB.CLOSE (l_bfile);
mob_util_pck.log_write ('I','Deleting Old File');
 BEGIN
 mob_util_pck.delete_files ('MOBSEPAOUT'
 , l_dest_file
 END;
mob_util_pck.log_write ('I','Before Replacing Characters');
 l_tmp_clob := REPLACE (l_tmp_clob, '€', 'E');
 l_tmp_clob := REPLACE (l_tmp_clob, '@', '(at)');
 l_tmp_clob := REPLACE (l_tmp_clob, '&', '+');
 l_tmp_clob := REPLACE (l_tmp_clob, 'à', 'a');
 l_tmp_clob := REPLACE (l_tmp_clob, 'é', 'e');
 l_tmp_clob := REPLACE (l_tmp_clob, 'è', 'e');
 l_tmp_clob := REPLACE (l_tmp_clob, 'ç', 'c');
 l_tmp_clob := REPLACE (l_tmp_clob, 'ù', 'u');
 l_tmp_clob := REPLACE (l_tmp_clob, 'ï', 'i');
 l_tmp_clob := REPLACE (l_tmp_clob, 'ù', 'u');
 l_tmp_clob := REPLACE (l_tmp_clob, '[', '(');
 l_tmp_clob := REPLACE (l_tmp_clob, ']', ')');
 l_tmp_clob := REPLACE (l_tmp_clob, '\', '/');
 l_tmp_clob := REPLACE (l_tmp_clob, '^', '.');
 l_tmp_clob := REPLACE (l_tmp_clob, 'ù', 'u');
 --l_tmp_clob := REPLACE (l_tmp_clob, '_', '-');
 l_tmp_clob := REPLACE (l_tmp_clob, '`', '''');
 l_tmp_clob := REPLACE (l_tmp_clob, '{', '(');
 l_tmp_clob := REPLACE (l_tmp_clob, '|', '/');
 l_tmp_clob := REPLACE (l_tmp_clob, '}', ')');
 l_tmp_clob := REPLACE (l_tmp_clob, '~', '-');
 l_tmp_clob := REPLACE (l_tmp_clob, 'À', 'A');
 l_tmp_clob := REPLACE (l_tmp_clob, 'Á', 'A');
 l_tmp_clob := REPLACE (l_tmp_clob, 'Â', 'A');
 l_tmp_clob := REPLACE (l_tmp_clob, 'Ã', 'A');
 l_tmp_clob := REPLACE (l_tmp_clob, 'Ä', 'A');
 l_tmp_clob := REPLACE (l_tmp_clob, 'Å', 'A');
 l_tmp_clob := REPLACE (l_tmp_clob, 'Ç', 'C');
 l_tmp_clob := REPLACE (l_tmp_clob, 'È', 'E');
 l_tmp_clob := REPLACE (l_tmp_clob, 'É', 'E');
 l_tmp_clob := REPLACE (l_tmp_clob, 'Ê', 'E');
 l_tmp_clob := REPLACE (l_tmp_clob, 'Ë', 'E');
 l_tmp_clob := REPLACE (l_tmp_clob, 'Ì', 'I');
 l_tmp_clob := REPLACE (l_tmp_clob, 'Í', 'I');
 l_tmp_clob := REPLACE (l_tmp_clob, 'Î', 'I');
 l_tmp_clob := REPLACE (l_tmp_clob, 'Ï', 'I');
 l_tmp_clob := REPLACE (l_tmp_clob, 'Ñ', 'N');
 l_tmp_clob := REPLACE (l_tmp_clob, 'Ò', 'O');
 l_tmp_clob := REPLACE (l_tmp_clob, 'Ó', 'O');
 l_tmp_clob := REPLACE (l_tmp_clob, 'Ô', 'O');
 l_tmp_clob := REPLACE (l_tmp_clob, 'Õ', 'O');
 l_tmp_clob := REPLACE (l_tmp_clob, 'Ö', 'O');
 l_tmp_clob := REPLACE (l_tmp_clob, 'Ù', 'U');
 l_tmp_clob := REPLACE (l_tmp_clob, 'Ú', 'U');
 l_tmp_clob := REPLACE (l_tmp_clob, 'Û', 'U');
 l_tmp_clob := REPLACE (l_tmp_clob, 'Ü', 'U');
 l_tmp_clob := REPLACE (l_tmp_clob, 'Ý', 'Y');
 mob_util_pck.log_write ('I','After Replacing Special Characters');
 mob_util_pck.log_write ('I','Before Creating New File '||l_dest_file);
 DBMS_XSLPROCESSOR.clob2file(l_tmp_clob, 'MOBSEPAOUT', l_dest_file);
 mob_util_pck.log_write ('I','After Creating New File '||l_dest_file);
 mob_util_pck.log_write ('I','Inside REMOVE_SPECIAL_CHARS procedure(-)');
END REMOVE_SPECIAL_CHARS;
This procedure is working fine for some special characters. But some special characters are getting replaced by different characters before performing the replace so it is causing wrong replacement of characters.
eg- i need to replace & by +
but it is changing it to +amp which is incorrect.
Is it something related to characters encoding?
Please help.
Regards-
Vikrant

eg- i need to replace & by +
but it is changing it to +amp which is incorrect.
Is it something related to characters encoding?
Due to its special meaning in the XML language, occurrences of the ampersand character '&' have be escaped to & as well as '<', '>' and '"' respectively to <, > and ".
So in short, do not replace the ampersand character.

Utl_url.escape

Hi, I need to use the utl_url.escape function to convert some illegal characters in a url and I want to know why I get the error "FALSE: invalid identifier" when I use the function like this:
SELECT utl_url.escape('http://www.acme.com/a url with space.html', FALSE, 'UTF8')
FROM dual;
Where the first parameter is the url I want to escape, the second one indicates that I don't want to escape the reserved chars, and the third one is the target charset. I search in the documentation and this is a right way to use the function.
If I use the function without the second and third arguments, it work properly but it don't make a good conversion, I think it is because I am not indicating the target charset.
Any help will be appreciated.

UTL_URL.escape is defined as follows:
FUNCTION escape(url                   IN VARCHAR2,
                  escape_reserved_chars IN BOOLEAN DEFAULT FALSE,
                  url_charset           IN VARCHAR2 DEFAULT
                                                    utl_http.get_body_charset)
                  RETURN VARCHAR2;so the second parameter is BOOLEAN which is a datatype NOT KNOWN to SQL.
You can only use this function in a PLSQL block like this e.g.:
declare
url_esc varchar2(1000);
begin
url_esc := utl_url.escape('http://www.acme.com/a url with space.html', FALSE, 'UTF8');
dbms_output.put_line(url_esc);
end;
http://www.acme.com/a%20url%20with%20space.htmlMessage was edited by:
michaels

Include-owa and character escaping

Hi.
We are using include-owa to return user entered databse text within well formatted tags.
Sometimes text contains & and other XML characters.
We then "get XML returned from PLSQL agent was not well-formed error"
How can we easily escape all text values returned?
Thanks
Lionel

Normally you can enclose the text in the CDATA element.

Google API from plsql

Hi,
I have to post a file using this google API
https://developers.google.com/analytics/devguides/config/mgmt/v3/mgmtReference/management/uploads/uploadData#try-it
How I will call this in PLSQL?
thanks,
7Z

You're retrieving a text containing character entity references.
UTL_I18N.UNESCAPE_REFERENCE will take care of getting back the original characters :
SQL> set scan off
SQL>
SQL>
SQL> SELECT utl_i18n.unescape_reference(
2 REGEXP_SUBSTR(tr,'<span[^>]*>(.*)',1,1,'i',1)
3 ) translated_value
4 FROM (
5 SELECT httpuritype('http://translate.google.com/?hl=en&layout=1&eotf=1&sl=en&tl='||'vi'||'&text='||
6 UTL_URL.escape('My text to be converted')|| '#').getclob() tr
7 FROM DUAL
8 );
TRANSLATED_VALUE
Văn bản của tôi được chuyển đổi

Escaping characters in SOAP Envelope XML string

Hello,
I have a manual web service reference (i.e. a XML String parametrized with more fields from my apex page). Sometimes the web service call fails because the user can enter special XML characters in the text field (this in consequence makes the XML String invalid XML). Do you know any elegant way to deal with this problem? Having a process that does htf.escape_sc for each text field in the same page I have my text field is a bit complcated in my case.
Are there any other options?
Many thanks in advance

Hi "user11085282",
you might try to wrap the user input in CDATA sections ... this is the "XML way" to have special characters in a document without escaping them. CDATA sections look
as follows
<tag><![CDATA[& & < <> >]]></tag>
http://www.w3schools.com/xml/xml_cdata.asp
Hope this helps ...
Carsten Czarski
Deutschsprachige APEX-Community: Tipps, Tricks, Best Practice
http://tinyurl.com/apexcommunity
SQL und PL/SQL: Tipps, Tricks & Best Practice
http://sql-plsql-de.blogspot.com
Twitter: @cczarski @oraclebudb

How to escape a single quote in a find mode view

Hello,
I'm working with JDeveloper 10g.
I've defined a view that is used in "find mode" in a JSP.
When a value with a single quote is inserted in a field of the search form, an exception is thrown:
JBO-27122: SQL error during statement preparation.
ORA-00907: missing right parenthesis.
The problem is that the "single quote" is not being escaped:
WHERE STREET LIKE 'ABAT ESCARRE, DE L'A'
How could I force the view to escape the "single quote"?
Thanks

Arrest the single quote by calling a javascript method.
This might help you
Re: af:clientListener javascript function call question
http://download.oracle.com/docs/cd/E12839_01/apirefs.1111/e12419/tagdoc/af_clientListener.html
Edited by: Srinidhi on Mar 23, 2011 3:46 PM

Error while trying to access a SSWA PLSQL function

Hi,
I am trying to access a report as a web page by defining the function as follows :
Type : SSWA PLSQL FUNCTION
HTML Call : OracleOASIS.RunReport
Parameters : report=EMPDET
This function is attached to the menu and when I try to access the page I get this error.
"Error: The requested URL was not found, or cannot be served at this time.
Incorrect usage."
The URL that shows in the page is as follows(<server:port> I removed the server name and port) :
http://<server:port>/dev60cgi/rwcgi60?GDEV_APPS+DESFORMAT=HTML+SERVER=GDEV_APPS+report=EMPDET+p_session_id=A9C71A70B9B1D9BD2DCC0FC3AF9BC324+p_user_id=1133+p_responsibility_id=50230+p_application_id=800+p_security_group_id=0+p_language_code=US+NLS_LANG=AMERICAN_AMERICA+NLS_DATE_FORMAT=DD-MON-RRRR+NLS_NUMERIC_CHARACTERS=.%2C+NLS_DATE_LANGUAGE=AMERICAN+NLS_SORT=BINARY+paramform=NO
Surprisingly other functions which are defined in this manner work fine. Do I need to register my report anywhere or are there any other settings I need to do for the report to show up.
Can someone let me know.
Thanks

Hi ;
pelase check below which could be similar error like yours
Troubleshooting of Runtime Errors of Customer Intelligence Reports [ID 284829.1]
Regard
Helios

Error while consuming PLSQL Webservice through BPEL

HI ,
I have created a simple PLSQL Web service called "HelloWorld" and it got successfully deployed .
When I tried to test this webservice through BPEL Process Manager , its showing me error everytime that ( Could not create object of class 'dimple.HelloWorldWebServiceUser'; nested exception is: java.lang.ClassNotFoundException: dimple.HelloWorldWebServiceUser</summary> ) .
Please anyone help me out with this problem .
Thanks
Prashant Dwivedi

HI ,
I have created a simple PLSQL Web service called "HelloWorld" and it got successfully deployed .
When I tried to test this webservice through BPEL Process Manager , its showing me error everytime that ( Could not create object of class 'dimple.HelloWorldWebServiceUser'; nested exception is: java.lang.ClassNotFoundException: dimple.HelloWorldWebServiceUser</summary> ) .
Please anyone help me out with this problem .
Thanks
Prashant Dwivedi

The simplest way for plsql procedure to return multiple rows

Hi,
What is the simplest way for plsql procedure to return multiple rows (records). There are many combination of ways to do it but I am looking for a solution that is appropriate for plsql beginners. Many solutions use cursors, cursor variables, collections and more that kind of things that are complex on the face of it. Is it somehow possible to achieve the same with less effort?
Sample query would be: SELECT * FROM EMPLOYEES;
I want to use returned rows in APEX to compose APEX SQL(in that context plsql) report.
It is enough to use just SELECT * FROM EMPLOYEES query in APEX but I want to use plsql procedure for that.
Thank you!

Hi,
It depends :-).
With +...that is appropriate for plsql beginners...+ in mind... it still depends!
The list of techniques (ref cursors, cursor variables, collections, arrays, using explict SQL) you have referenced in your post can be made to work. but...
+Is it somehow possible to achieve the same with less effort?+ Less effort : That needs to be defined (measured). Especially in the context of pl/sql beginners (who is a beginner?) .
What is the level of "programming experience" ?
What is the level of understanding of "Relational Result set" as processible in Oracle?
If you are looking for
Process_the_set_of rows_in APEX () kind of capabilitywhich "abstracts/hides" relation database from developers when working on relation database, it may not be the best approach (at least strategically). Because I believe it already is abstracted enough.
I find REF CUROSOR most effective for such use, when the "begginer" has basic understanding of processing SQL result set .
So in a nut shell, the techniques (that you already are familiar with) are the tools available. I am not aware of any alternative tools (in pure Oracle) that will simplify / hide basics from develpers.
vr,
Sudhakar B.

Generate Query in PLSQL to return Well Formed XML with Multiple records

Hi there
This is very urgent. I am trying to create a PLSQL query that should retrieve all records from oracle database table "tbl_Emp" in a well formed xml format. The format is given below
*<Employees xmlns="http://App.Schemas.Employees" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">*
*<Employee>*
*<First_Name></First_Name>*
*<Last_Name></Last_Name>*
*</Employee>*
*<Employee>*
*<First_Name></First_Name>*
*<Last_Name></Last_Name>*
*</Employee>*
*</Employees>*
To retrieve data in above format, I have been trying to create a query for long time as below
SELECT XMLElement("Employees",
XMLAttributes('http://App.Schemas.Employees' AS "xmlns",
*'http://www.w3.org/2001/XMLSchema-instance' AS "xmlns:xsi"),*
XMLElement("Employee", XMLForest(First_Name, Last_Name)))
AS "RESULT"
FROM tbl_Emp;
But it does not give me the required output. It creates <Employees> tag with each individual record which I don't need. I need <Employees> tag to be the root tag and <Employee> tag to repeat and wrap each individual record. Please help me in this as this is very urgent. Thanks.

Hi,
Please remember that nothing is "urgent" here, and repeating that it is will likely produce the opposite effect.
If you need a quick answer, provide all necessary details in the first place :
- db version
- test case with sample data and DDL
That being said, this one's easy, you have to aggregate using XMLAgg :
SELECT XMLElement("Employees"
 , XMLAttributes(
 'http://App.Schemas.Employees' AS "xmlns"
 , 'http://www.w3.org/2001/XMLSchema-instance' AS "xmlns:xsi"
 , XMLAgg(
 XMLElement("Employee"
 , XMLForest(
 e.first_name as "First_Name"
 , e.last_name as "Last_Name"
 ) AS "RESULT"
FROM hr.employees e
;

Can I suppress HTML escaping in a read-only item?

I have an item that is displayed as read-only. The item contains HTML markup. HTML DB seems to automatically escape special characters in the item value.
Is there a way to suppress this?
For example, I have a text input item with the value:
Hello
(that is, it contains the bold elements which I want to output as is).
HTML DB seems to be escaping the item value so I see the bold elements in the browser and what I see in the page source is: &lt;b&gt;Hello&lt;/b&gt;
There doesn't seem to be "escape special characters" / "don't escape special characters" options for read-only mode like there is for "Display As Text" items. Can anyone suggest a workaround?
Thanks,
Eric

Eric - Text input items are escaped on output whether they are read-only or not. But to answer your question generally, APEX does not emit input items of any type to the browser without escaping them unless there is a guarantee that they have been escaped on input, e.g., when passed in through the URL, or that they acquired their value from within the application. These guarantees apply only to non-POSTable item types such as Display As Text (does not save state) items and a couple others. So in short, we observe the rule (which should be observed by app developers) that it is never safe (from an XSS-protection standpoint) to emit a POSTable item without escaping it first.
In your case, can you define a safe item type (Display as Text, does not save state) and set its source to the markup-containing item that you are now displaying as read-only? If so, you can conditionally display only the safe one and hide the other.
Scott

Business Event not triggering the PLSQL procedure.. What to do?

We need to call a plsql procedure when the GL Approval workflow has ended with approval. I thought i could do this by customizing the relevant business event.
We are on EBS 12.1.3 with RDBMS : 11.2.0.3.0.
I saw that the business event oracle.apps.gl.Journals.journal.approve was disabled currently. I enabled it and created a subscription for it. Subscription was a PLSQL procedure. Currently, for test purpose only thing it is doing is to insert a row into a table.
Business Event Subscription settings:
System: ORDEBS.SYSTEM.COM
Triggering Event
Source Type:Local
Event Filter: oracle.apps.gl.Journals.journal.approve
Execution Condition
Phase: 100
Status: Enabled
Rule Data: Message
Action Type:Custom
On Error: Stop and Rollback
Action
PL/SQL Rule Function: XX_GL_APPROVE_BE_PKG.Get_Attributes
Priority: Normal
Documentation (Not sure what value to be given for these. I went with the below values.)
Owner: Company Name
Owner Tag: Custom Schema
Using the below query i can see that the business event is getting called when the approval happens (One row added each time approval happened). But I cant see any rows in the table where it should insert a row. What could be going wrong? How can i verify that the procedure has been called?
select * from WF_DEFERRED where corrid ='APPS:oracle.apps.gl.Journals.journal.approve'
Procedure:
CREATE OR REPLACE PACKAGE BODY APPS.XX_GL_APPROVE_BE_PKG
AS
PROCEDURE Get_Attributes
IS
BEGIN
INSERT INTO xx.xx_test_table VALUES ('From BE');
COMMIT;
END Get_Attributes;
END XX_GL_APPROVE_BE_PKG;

Thanks Alejandro. Now this is working.
Changes i made:
1. Added the WFERROR workflow as a subscription to this event. So i could see that the function i am calling from the event did not have proper signature.
2. Changed the function signature to have standard parameters like:
CREATE OR REPLACE PACKAGE BODY XX_GL_APPROVE_BE_PKG
AS
function subscription(p_subscription_guid in raw,
p_event in out nocopy wf_event_t) return varchar2 is
l_result varchar2(20);
begin
insert into xxvtv.xxvtv_test_table values ('From BE');
commit;
exception
when others then
wf_core.context('XX_GL_APPROVE_BE_PKG','function subscription', p_event.getEventName(), p_event.getEventKey());
wf_event.setErrorInfo(p_event, 'ERROR');
return 'ERROR';
end subscription;
END XX_GL_APPROVE_BE_PKG;
3. Changed the owner name and owner tag both to the custom schema name (XX)

Escape & in plsql?

Similar Messages

Maybe you are looking for