Escape special characters for OData response

Hi all,
I'm facing a problem on HTTP response when some special characters are in my entity fields.
For example I've got a Edm.String field which has characters like ###, ", < (two number signs ## are ok, but three invoke an error)
When I set output format to xml via URI parameter $format=xml, I get following error:
<message xml:lang="en">In the context of Data Services an unknown internal server error occured</message>
Exception /IWCOR/CX_DS_INTERNAL_ERROR in class /IWCOR/CL_DS_EP_WRITER_OUTPUT method /IWCOR/IF_DS_EP_WRITER_OUTPUT~WRITE and Line 39
If I use JSON as output format, HTTP response code is 200!!, but payload just ends on the character which cannot be interpreted:
(ABAP)-JSON generator can handle double quotes much better than XML format:
How can I escape these output strings, without adding chars which will appear in response payload?
Thanks,
Steffen

Hi Uwe & Ron,
thanks for your ideas, but maybe we're not talking about binary data?! This field is an example from TADIR table.
OData entity definition for this field:
Versid
Edm.String
0
0
20
ABAP field definition:
Data Type        CHAR - Character String
No. Characters       20
Decimal Places        0
Output Length        20
Convers. Routine    <empty>
Uwe did you mean another debugger view?
SE16 output for this line:
What if I want to store and receive data with these special chars like ####, ", <, >,... in a ABAP char field (respective OData Edm.String)?
Thanks,
Steffen

Similar Messages

SQL Injections and XSS - Escaping Special Characters

Hi, hope someone can help in regards to security and SQL Injections and XSS.
We are using APEX 4.0.2 on Oracle 11.2.0.2.
1. It seems the special characters we have entered into normal 'Text Items' 'Text Areas' etc are not being escaped (ie <,>,&, '). If I enter them into the field (ie Surname) they are saved as is into session state and the database - no escaping. Am I missing something such as an environment setting as I thought the "smart" oracle escaping rules would cater for this.
Surely I don't have to manually do each of then.
Just to confirm, am I looking in the correct places to assess if the characters are escaped or not - ie should they show as '&<>' in session state and/or the database ?
2. Also, for the Oracle procedures such as '‘wwv_flow.accept’ , ‘wwv_flow.show’ , 'wwv_flow_utilities.show_as_popup_calendar' - do these escape special characters. If not, then they must be vulnerable to SQL Injections attacks.
Thx
Nigel

Recx Ltd wrote:
Just to pitch in, escaping values internally (either in the database or session state) is extremely problematic. Data searches, string comparison, reporting and double escaping are all areas which suffer badly when you do this.
Stripping characters on input can also cause problems if not considered within the context of the application. Names such as "O'Niel", statistical output such as "n < 300", fields containing deliberate HTML markup can be annoying to debug. In certain situations stripping is totally ineffective and may still lead to cross-site scripting.
Apex applications that share the database with other applications will also be affected.
The database should contain 'raw' unfettered data and output should be escaped properly, as Joel said, at render time. Either with Apex attributes or using PLSQL functions such as htf.escape_sc() as and when required.Do not needlessly resurrect old threads. After a couple of months watches expire and the original posters are not alerted to the presence of your follow-up.
Shameless plug: If you are in the game of needing to produce secure Apex code, you should get in touch.This crosses the line into spam: it violates the OTN Terms of Use—see 6(j).
Promotional posts like this are liable to be removed by the moderators.

How do you turn off the special characters for letters?

How do you turn off the special characters for letters? Where you hold down the key and it comes up with variations of the letter. For example ï í î ò œ å ß ł û
It is very annoying when I try to play any online games. Thanks for the help

Thank you so much It worked Thank you

Special characters for projects

Hi experts,
Kindly explain to me how to define multiple Special characters in project system.
Regards,
Shynu John

Hi,
Do you mean Special characters for the Project coding mask?
If that is the case, you can define the special characters in OPSK. A maximum of 8 special characters can be defined in it.
And then create the project coding mask in OPSJ using those special characters as per your requirement. Alpha-numeric and numeric characters combination can be used along with the special characters while creation of coding mask.
Regards,
Kabir

Escape special characters in url for redirection

In my web page, I want all the characters of the URL to be lower case. For that I created the following method:
private bool UrlFormatoCorrecto(string url)
bool formatoCorrecto = true;
bool upperCa = url.Any(c => char.IsUpper(c));
if (url.Any(c => char.IsUpper(c)))
formatoCorrecto = false;
if (url.Contains(" ") || url.Contains("+"))
formatoCorrecto = false;
return formatoCorrecto;
This works like a charm until a special character appears. The url that I get then will be the following:
http://localhost/web/coches/proven%C3%A7a-aribau,-08036-barcelona,-barcelona
So I have upper case characters. When I redirect it using the following code:
if (!UrlFormatoCorrecto(urlActual))
Response.RedirectPermanent(urlActual.Replace(" ", "-").Replace("+", "-").ToLower());
I get the code again with the same URL with upper case. How can I escape the special characters so they won't bother me anytime I want to make the redirection?

hello,
you could escape special caracters with :
Regex.Escape Method
Regards
Cédric

Strategies for escaping special characters.

Hi all,
Our app(built using Workshop) needs to have a generic way of scrubbing special
characters that a user might enter in the UI,and which might cause our sql that
queries the DB to become malformed. To explain further,some of our DB controls
are not using PreparedStatements to set Strings..instead, we are constructing
the sql as a java string like:
String myQuery="Select * from * where TOUPPER(name) like"+param.ToUpperCase().
and then we do:
Statement stmt=conn.createStatement();
stmt.executeQuery(myQuery).
In such cases, Oracle JDBC driver does not escape any special chars in the String
param,and fails.Other than converting all our queries to use PreparedStatements,
is there a generic pattern/Util class(mebbe RequestUtils) or some way of using
the Servlet Filter API to scrub out any special chars that are input by the user?
Thanks in advance.
Vik.

ServletFilter is the way to go on this one. Don't think there is anything built
into Servlet spec that handles these characters, however, there are a number of
sample filters that do such a task. I think there is a sample in either the O'Reilly
book on Servlets or Core Servlets.
"Vik" <[email protected]> wrote:
>
Hi all,
Our app(built using Workshop) needs to have a generic way of scrubbing
special
characters that a user might enter in the UI,and which might cause our
sql that
queries the DB to become malformed. To explain further,some of our DB
controls
are not using PreparedStatements to set Strings..instead, we are constructing
the sql as a java string like:
String myQuery="Select * from * where TOUPPER(name) like"+param.ToUpperCase().
and then we do:
Statement stmt=conn.createStatement();
stmt.executeQuery(myQuery).
In such cases, Oracle JDBC driver does not escape any special chars in
the String
param,and fails.Other than converting all our queries to use PreparedStatements,
is there a generic pattern/Util class(mebbe RequestUtils) or some way
of using
the Servlet Filter API to scrub out any special chars that are input
by the user?
Thanks in advance.
Vik.

How to escape special characters in Simple Transformation

Hi Experts,
I have got a problem to get a well formed xml document from the below simple transformation. The content of maktx contains
special characters like & <, which are not allowed in a well formed XML-Document. But the result of the Simple Transformation
contains this charcters even after the transformation as you can the in the result below. Has anyone a hint how to escape the
characters included in the maktx.
The transformation for maktx, should be something like
Before: Material & < TEST
After: Material &amp &lt TEST
Report wihich calls the simple transformation
types:
BEGIN OF t_mat,
   matnr type matnr,
   maktx type maktx,
end of t_mat.
Data:
mat type t_mat,
xml_stream type xstring.
START-OF-SELECTION.
mat-matnr = '4711'.
mat-maktx = 'Material & < Test'.
CALL TRANSFORMATION ztest_st2
        SOURCE mat = mat
        RESULT XML xml_stream.
CALL FUNCTION 'DISPLAY_XML_STRING'
EXPORTING xml_string = xml_stream.
Simple Transformation
<?sap.transform simple?>
<tt:transform xmlns:tt="http://www.sap.com/transformation-templates">
<tt:root name="MAT"/>
<tt:template>
    <Leistungsschild>
        <CHARACT> MATNR </CHARACT>
        <CHARACT_DESCR> Materialnummer </CHARACT_DESCR>
        <VALUE tt:value-ref="MAT.MATNR"/>
        <CHARACT> MAKTX </CHARACT>
        <CHARACT_DESCR> Materialkurztext </CHARACT_DESCR>
        <VALUE tt:value-ref="MAT.MAKTX" />
    </Leistungsschild>
</tt:template>
</tt:transform>
RESULT
<?xml version="1.0" encoding="utf-8" ?>
<Leistungsschild>
<CHARACT>MATNR</CHARACT>
<CHARACT_DESCR>Materialnummer</CHARACT_DESCR>
<VALUE>4711</VALUE>
<CHARACT>MAKTX</CHARACT>
<CHARACT_DESCR>Materialkurztext</CHARACT_DESCR>
<VALUE>Material & < Test</VALUE>   </Leistungsschild>

Hi Sandra,
First of all thaks for your quick answer to my problem.
I see what you mean and get the same result, if I am using data-type string instead of xstring. But the recommendation in the XML-Books of SAP is to use XSTRING to save memory and circumflex problems between Codepages, when writing the XML-Stream to a filesystem.
As you can see in the code abvoe I am using a SAP-FM to display the XML-Stream and this FM works only with XSTRING´s,
that is one reason why I don´t understand that it displays it in the wrong way.
Even the Debugger shows me for the XSTRING the wrong result. Does all that mean that the escaping will not be applyed if you are working with XSTING´s??

How to escape special characters in a region title

I have created a drill down report where the second report is filtered by a value chosen in the first report. I am using &Pn_field. syntax to pass the name of the select value to the region title of the second report. Some of the returned values have a ':' in them and therefore the text does not print after the ':'. How do I escape the ':' in the region title?
regards
Paul P

Paul,
I think your question is "How do I use f?p URL syntax to pass data values to a page where the data includes a colon?" (Please correct me if that's not the issue.) The answer is, you can't. Same with commas. HTML DB reserves those two characters for the f?p request syntax. You'll have to save the string into the item before the page branch. There is no restriction on what characters can be used in a region title, it's just HTML-formatted text, except that you must escape anything that looks like HTML unless you want the browser to treat it as HTML. There are restrictions, however, on what characters you can pass in URLs in general and you must take care to escape them properly, e.g., ?, &, whitespace.
And do speak up if I've missed the point.
Scott

How to restrict special characters for a specific column

Dear gurus,
i have a table emp with a field field_1
in this particular field_1 is an address column where data can be like '12 st first floor' but suppose mistakenly user has entered the data as '12 st first floor & ' it should be restricted (not using trigger but can this be possible by using constraints )so for this how can we restrict the special characters not to get entered into the column.
regards,
friend

Another way of doing it.
drop table test_table;
create table test_table (col varchar2(50));
alter table test_table add constraint chk_address check (NOT regexp_like(col, '[[:punct:]]+'));
insert into test_table
(select 'some text' col from dual);
1 rows inserted.
insert into test_table
(select 'some text!' col from dual);
Error starting at line 20 in command:
insert into test_table
(select 'some text!' col from dual)
Error report:
SQL Error: ORA-02290: check constraint (FDL_DEV.CHK_ADDRESS) violated
02290. 00000 - "check constraint (%s.%s) violated"
*Cause:    The values being inserted do not satisfy the named check
*Action:   do not insert values that violate the constraint.
insert into test_table
(select 'some text House#32' col from dual);
Error starting at line 23 in command:
insert into test_table
(select 'some text House#32' col from dual)
Error report:
SQL Error: ORA-02290: check constraint (FDL_DEV.CHK_ADDRESS) violated
02290. 00000 - "check constraint (%s.%s) violated"
*Cause:    The values being inserted do not satisfy the named check
*Action:   do not insert values that violate the constraint.
insert into test_table
(select 'some text
(with new line)' col from dual);
Error starting at line 26 in command:
insert into test_table
(select 'some text
(with new line)' col from dual)
Error report:
SQL Error: ORA-02290: check constraint (FDL_DEV.CHK_ADDRESS) violated
02290. 00000 - "check constraint (%s.%s) violated"
*Cause:    The values being inserted do not satisfy the named check

Entering special characters for Social Beat on G'Zone Ravine?

I've figured out how to enter special characters in a text, or in mobile IM. But I am unable to find a method for doing so in Social Beat. My username and password both use special characters, but I cannot find the option to enter these.

Thank you for your inquiry and I apologize for any confusion. I am providing you steps for how to change your symbols to special characters when your at the long in screen when using the Social Beat application. I was able to locate this information from the online user manuel and here is a link for further reference. I hope these steps as listed below helps.
To using Symbol Text Input to insert symbols or punctuation, follow these steps from the text entry screen:
1. Press the Left Soft Key, select Symbols, then press the Center Select Key [OK].
2. Press the Right Soft Key [Next] to view the next 12 symbols or Left Soft Key [Prev] to view the previous 12 symbols.
3. Select the symbol you want to insert using the Directional Key, then press the Center Select Key [OK] to select it.

Howto escape special characters if using regexp_replace & regexp_substr

hello experts,
following test case
insert into querytest1 (d) values
('#1(170):[{"type":"FACEBOOK","count":0,"lastEdition":1382627403299},{"type":"GOOGLE","count":0,"lastEdition":1381825285002},{"type":"EMAIL","count":2,"lastEdition":1381826322925}] #2(0): #3(5):-3141 #4(5):-3141 #5(5):21804 #6(7):3890750 #7(3):s11');
select regexp_replace(d, REGEXP_SUBSTR (REGEXP_SUBSTR(d, '[^ ]+', 1, 1), '[^:]+', 1, 2 ),'') from querytest1;
ERROR at line 1:
ORA-12726: unmatched bracket in regular expression
proof that []{} special characters are the problem:
delete from querytest1;
commit;
-- insert data without special characters
insert into querytest1 (d) values ('#1(170):"type":"FACEBOOK","count":0,"lastEdition":1382627403299,"type":"GOOGLE","count":0,"lastEdition":1381825285002,"type":"EMAIL","count":2,"lastEdition":1381826322925] #2(0): #3(5):-3141 #4(5):-3141 #5(5):21804 #6(7):3890750 #7(3):s11');
select regexp_replace(d, REGEXP_SUBSTR (REGEXP_SUBSTR(d, '[^ ]+', 1, 1), '[^:]+', 1, 2 ),'') from querytest1;
REGEXP_REPLACE(D,REGEXP_SUBSTR(REGEXP_SUBSTR(D,'[^]+',1,1),'[^:]+',1,2),'')
#1(170)::"FACEBOOK","count":0,"lastEdition":1382627403299,:"GOOGLE","count":0,"lastEdition":1381825285002,:"EMAIL","count":2,"lastEdition":1381826322925,:"EMAIL","count":2,"lastEdition":1381826322925] #2(0): #3(5):-3141 #4(5):-3141 #5(5):21804 #6(7):3890750 #7(3):s11
so now it works because there are no special characters []{}
is there a way to escape them?
thank you in advance.

oraman wrote:
ok you're right I explain from the beginning.
create table t (q varchar2(4000), d varchar2(4000), result varchar2(4000));
insert into t (q,d) values ('#1(170):[{"type":"FACEBOOK","count":0,"lastEdition":1382627403299},{"type":"GOOGLE","count":0,"lastEdition":1381825285002},{"type":"EMAIL","count":2,"lastEdition":1381826322925}] #2(0): #3(5):-3141 #4(5):-3141 #5(5):21804 #6(7):3890750 #7(3):s11',
'UPDATE mytable set value=:1 , valuec=:2 , longvalue=:3 , doublevalue=:4 WHERE productattrnameid=:5 AND productid=:6   AND context=:7');
I would like to get the following:
select result from t;
UPDATE mytable set value='[{"type":"FACEBOOK","count":0,"lastEdition":1382627403299},{"type":"GOOGLE","count":0,"lastEdition":1381825285002},{"type":"EMAIL","count":2,"lastEdition":1381826322925}]' , valuec=NULL , longvalue=-3141 , doublevalue=-3141 WHERE productattrnameid=21804 AND productid=3890750   AND context='s11';
the logic is to get the auditing data as ready to execute queries.
It looks you want to include every parameter where parameter is a pattern prefixed by #p1(lenght):param_value #p2(lenght):param_value etc.
Something like this?
set line 1000
col txt format a200
with querytest1 as
select '#1(170):[{"type":"FACEBOOK","count":0,"lastEdition":1382627403299},{"type":"GOOGLE","count":0,"lastEdition":1381825285002},{"type":"EMAIL","count":2,"lastEdition":1381826322925}] #2(0): #3(5):-3141 #4(5):-3141 #5(5):21804 #6(7):3890750 #7(3):s11' d
from dual
select 'UPDATE mytable set value='''|| nvl(trim(regexp_substr (d,'#\d+$\d+$:([^# ]+)', 1, 1, null, 1 )), 'NULL')||''''
       || chr(10) ||'     , valuec='||nvl(trim(regexp_substr (d,'#\d+$\d+$:([^#]+)', 1, 2, null, 1 )), 'NULL')
       || chr(10) ||'     , longvalue='|| nvl(trim(regexp_substr (d,'#\d+$\d+$:([^#]+)', 1, 3, null, 1 )),'NULL')
       || chr(10) ||'     , doublevalue='||nvl(trim(regexp_substr (d,'#\d+$\d+$:([^#]+)', 1, 4, null, 1 )),'NULL')
       || chr(10) ||' WHERE productattrnameid='||regexp_substr (d,'#\d+$\d+$:([^#]+)', 1, 5, null, 1 )
       || chr(10) ||'   AND productid='||regexp_substr (d,'#\d+$\d+$:([^#]+)', 1, 6, null, 1 )
       || chr(10) ||'   AND context='''||regexp_substr (d,'#\d+$\d+$:([^#]+)', 1, 7, null, 1 )||''';' txt
from querytest1;
Result:
TXT
UPDATE mytable set value='[{"type":"FACEBOOK","count":0,"lastEdition":1382627403299},{"type":"GOOGLE","count":0,"lastEdition":1381825285002},{"type":"EMAIL","count":2,"lastEdition":1381826322925}]'
     , valuec=NULL
     , longvalue=-3141
     , doublevalue=-3141
WHERE productattrnameid=21804
   AND productid=3890750
   AND context='s11';
1 row selected.
I have a problem formatting the output in the forum but I hope you get it.
Regards.
Alberto

Special Characters for Receiver JDBC Adapter

Hi,
Our Scenario is Proxy -PI-JDBC (SQLServer ). We have special characters in the payload and we are abel to see the special characters in PI.According to JDBC Faq we used haquot attribute and concatenated with Prefix N'<Value>'. But still when the data is posted in the database we cannot see the special characters.
Please let me know your inputs.
Thanks,
Sainath

Reference following thread, add a attribute of "hasQuot", map constant "No" to it, to see solve your problem or not:
Re: how to use todate function in JDBC adapter
Regards.
Liang

Urgent!!!!! escape special characters like -,& -

Hi
select prt_id from pr_prt where contains(prt_id,'04801\-')>0;
The above query returns foll
04801
04801-04051
I was expecting the result to be 04801-04051.
does any one hv any idea abt this?
This applies to all special characters if they are part of search string.
regards
priya
null

Interesting question...
The API says...
Quotation
\      Nothing, but quotes the following character
\Q      Nothing, but quotes all characters until \E
\E      Nothing, but ends quoting started by \QTry it... and please could you post your code when you're done... I might find it useful... and maybe I can even polish it a bit.... quid pro quo.
Cheers. Keith.

Escaping special characters

Environment:
Client: win2k sp4, 10.2 client
Server: 9.2 on solaris 9
Is there any way to set an escape character?
Many times we have '&' characters in strings in procedures, and when I try to compile them sqldeveloper prompts for a value thinking that it is a variable.
I've tried the default '\', and 'set escape on' doesn't work either.
Would be even better if there was an option in sqldeveloper to tell it to ignore the '&' character alltogether.
Thanks.

not really the answer I was looking for :(
the devs would end up driving me nuts wondering what all the CHR stuff is in their code.
i guess for now, i'll just keep using PLedit to compile all the procs that have any special chars.
...someday we'll have one tool that does everything ;)

Escaping special characters in SECURITY_PRINCIPAL

I am trying to connect to AD-LDAP with
env.put(Context.SECURITY_PRINCIPAL, "CN=cn /18,CN=Users,DC=company,DC=com");
As you can see I have a / character in my DN. I cannot get a context using this security_principal, I am always getting javax.naming.AuthenticationException. When my DN does not contain / or any special character everything works fine. I thought I had to maybe escape / so I tried
env.put(Context.SECURITY_PRINCIPAL, "CN=cn \\/18,CN=Users,DC=company,DC=com");
env.put(Context.SECURITY_PRINCIPAL, "CN=cn \\\\/18,CN=Users,DC=company,DC=com");
env.put(Context.SECURITY_PRINCIPAL, "CN=cn \\\\\\/18,CN=Users,DC=company,DC=com");
without any success.
Thanks in advance,
Nikola

That did not seem to help. By the way, I was really looking for a more generic answer since for example I have the same problem when my SECURITY_PRINCIPAL DN includes /, \, or ' characters.

Escape special characters for OData response

Similar Messages

Maybe you are looking for