Generic SQL Injection in HTTP Request
So our project allows Facebook interaction. Mars sends out this Incident Event type every time someone attaches to Facebook. Is this something I can just False Positive out or should I be concerned about it? What is Facebook sending back to our network so we get this message on Mars?
I get numerous alerts from our IDSMs and have mitigated this by
1: not allowing the IDSMs to block our outgoing traffic at all. Not worth the risk causing major outage.
2: created av drop in MARS that drops all SQL Injections destined for the Facebook subnets. (69.63.176.1-69.63.183.254, 66.220.144.1-66.220.159.255)
Regards
Fredrik
Similar Messages
-
"SQL Query in HTTP Request" (5474:0)
Hi,
The IDS signature "SQL Query in HTTP Request" (5474:0) does not recognize all malicious SQL selects. Currently, the reg exp looks like [%]20|[=]|[+])[Ss][Ee][Ll][Ee][Cc][Tt]([%]20|[+])[^\r\n\x00-\x19\x7F-\xFF]+([%]20|[+])[Ff][Rr][Oo][Mm]([%]20|[+] . We noticed that subselects does not trigger the signature. For example, "...(select%20something%20from%20somethingmore%20where%20variable%20=%20(select%20....." which could be malicious. Is there any possibility to include "(" in the regexp to detect subselects?
Regards,
/Olahmmm...That should actually match just fine. Let's break it down:
([%]20|[=]|[+]) <--"%20","=",or "+"
[Ss][Ee][Ll][Ee][Cc][Tt] <-- "SELECT"
([%]20|[+]) <--"%20" or "+"
[^\r\n\x00-\x19\x7F-\xFF]+ <-- NOT one or more ascii control or extended chars
([%]20|[+]) <-- "%20" or "+"
[Ff][Rr][Oo][Mm] <-- "FROM"
([%]20|[+]) <-- "%20" or "+"
The only reason I can think that it wouldn't match is if there some funky characters between the first SELECT and the first FROM (i.e. carriage return/line feed, etc). Also remember that a %20 or = or + must precede the SELECT and that a %20 or + must follow the FROM. -
PL/SQL posting to HTTP request
Hi
As part of a web application I am developing, I need to generate an HTTP post from a PL/SQL package. The problem I am having is that the message going out is not properly formatted and is being rejected by the listening application (in this case, WebCT)
The MIME message should be formatted like this. (this is what I get when I use Perl to generate the call...)
POST /webct/systemIntegrationApi.dowebct HTTP/1.1
Host: roach:4041
Connection: Keep-Alive, TE
TE: trailers, deflate, gzip, compress
User-Agent: RPT-HTTPClient/0.3-3E
Accept-Encoding: deflate, gzip, x-gzip, compress, x-compress
Content-type: multipart/form-data; boundary=WebCT_Enterprise_API_boundary
Content-length: 1506
--WebCT_Enterprise_API_boundary
Content-Disposition: form-data; name="adapter"
ims
--WebCT_Enterprise_API_boundary
Content-Disposition: form-data; name="ACTION"
import
--WebCT_Enterprise_API_boundary
Content-Disposition: form-data; name="OPTION"
unrestrict
--WebCT_Enterprise_API_boundary
Content-Disposition: form-data; name="SCTMODE"
OFF
--WebCT_Enterprise_API_boundary
Content-Disposition: form-data; name="TIMESTAMP"
1091141996
--WebCT_Enterprise_API_boundary
Content-Disposition: form-data; name="AUTH"
3D 1F DC E0 F7 15 5A 1F F4 99 CA 70 D4 68 1C 57
--WebCT_Enterprise_API_boundary
Content-Disposition: form-data; name="FILENAME"; filename="baseline_import.xml"
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE ENTERPRISE SYSTEM "IMS-EP01.dtd">
<ENTERPRISE>
<PROPERTIES>
<DATASOURCE>McGill University SCT Banner</DATASOURCE>
<TYPE>Initial Creation</TYPE>
<DATETIME>2000-00-00T12:00:00</DATETIME>
</PROPERTIES>
<GROUP>
<SOURCEDID>
<SOURCE>Banner 2000 SCT Banner</SOURCE>
<ID>6536.200409</ID>
</SOURCEDID>
<DESCRIPTION>
<SHORT>HIST-666-001</SHORT>
</DESCRIPTION>
<RELATIONSHIP myrelationship="3">
<SOURCEDID>
<SOURCE>Banner 2000 SCT Banner</SOURCE>
<ID>6537.200409</ID>
</SOURCEDID>
</RELATIONSHIP>
</GROUP>
</ENTERPRISE>
WebCT_Enterprise_API_boundary
HTTP/1.1 200 OK
Date: Thu, 29 Jul 2004 21:56:27 GMT
Server: Apache/2.0.49 (Unix) DAV/2 mod_ssl/2.0.49 OpenSSL/0.9.6m mod_jk/1.2.3-dev
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
35
Success: Import file (baseline_import.xml) complete.
0
My PL/SQL code that tries to build the outgoing call is
req := utl_http.begin_request('http://atlas.cc.mcgill.ca:8900/webct/systemIntegrationApi.dowebct','POST', 'HTTP/1.1');
utl_http.write_text(req,'Content-type: multipart/form-data; boundary=WebCT_Enterprise_API_Boundary' || CHR(13)|| CHR(10) ||
'' || CHR(13)|| CHR(10) ||
'--WebCT_Enterprise_API_Boundary' || CHR(13)|| CHR(10) ||
'Content-Disposition: form-data; name="adapter"' || CHR(13)|| CHR(10) ||
'' || CHR(13)|| CHR(10) ||
'ims' || CHR(13)|| CHR(10) ||
'--WebCT_Enterprise_API_Boundary' || CHR(13)|| CHR(10) ||
'Content-Disposition: form-data; name="ACTION"' || CHR(13)|| CHR(10) ||
'' || CHR(13)|| CHR(10) ||
'import' || CHR(13)|| CHR(10) ||
'--WebCT_Enterprise_API_Boundary' || CHR(13)|| CHR(10) ||
'Content-Disposition: form-data; name="OPTION"' || CHR(13)|| CHR(10) ||
'' || CHR(13)|| CHR(10) ||
'unrestrict' || CHR(13)|| CHR(10) ||
'--WebCT_Enterprise_API_Boundary' || CHR(13)|| CHR(10) ||
'Content-Disposition: form-data; name="SCTMODE"' || CHR(13)|| CHR(10) ||
'' || CHR(13)|| CHR(10) ||
'OFF' || CHR(13)|| CHR(10) ||
'--WebCT_Enterprise_API_Boundary' || CHR(13)|| CHR(10) ||
'Content-Disposition: form-data; name="TIMESTAMP"' || CHR(13)|| CHR(10) ||
'' || CHR(13)|| CHR(10) ||
timestamp || CHR(13)|| CHR(10) ||
'--WebCT_Enterprise_API_Boundary' || CHR(13)|| CHR(10) ||
'Content-Disposition: form-data; name="AUTH"' || CHR(13)|| CHR(10) ||
'' || CHR(13)|| CHR(10) ||
mac || CHR(13)|| CHR(10) ||
'--WebCT_Enterprise_API_Boundary' || CHR(13)|| CHR(10) ||
'Content-Disposition: form-data; name="FILENAME"; filename="xlist.xml"' || CHR(13)|| CHR(10) ||
'' || CHR(13)|| CHR(10) ||
total_xml_string || CHR(13)|| CHR(10) ||
'--WebCT_Enterprise_API_Boundary--' || CHR(13)|| CHR(10));
resp := utl_http.get_response(req);
utl_http.read_text(resp, val);
utl_http.end_response(resp);
When I watch the network traffic generated by this PL/SQL I do not have any carriage returns which makes WebCT to believe that the message does not carry the proper data and returns Fatal Failure(99): Invalid URL arguments...
Is there somewhere where I can see sample code for placing HTTP requests using the utl_http package? Or if I am doing something obviously wrong (I am new at this whole PL/SQL thing...) please let me know.
Thank you
BogdanIf UTL_HTTP.SET_TRANSFER_TIMEOUT has no effect, probably your hang is due to the fact that the machine is completely down and inaccessible.
As the name suggests, SET_TRANSFER_TIMEOUT only controls the timeout when UTL_HTTP succeeds in making a connection to the remote Web server and it times out the request when no more response is received by certain time while the connection is not closed by the remote server either.
In your case, you probably need a connect-timeout which isn't provided by UTL_HTTP (yet). -
Hi, regarding IDS signature 5930. This appears to be an old signature re-released with the recent asproxy vulnerabilities in mind. We have seen this fire with subsig 5 (asprox) and subsig 4 which detects " AND 1=1" in HTTP arguments. However when we look at the captures for subsig 4 alerts we are unable to find this argument in the capture anywhere (TAC currently raised).
Also, what is the best method of protecting against these vulnerablities - is it just a case of te developers ensuring that the code is not vulnerable? There is an MS test tool available to help with this http://support.microsoft.com/kb/954476.
Does anybody have any similar thoughts on this and the best way to defned against this?
Thankssubsig 5 is probably legit (e.g. asprox, something trying to inject SQL). I'm quite surprised you've actually seen subsig 4 fire. I don't get why an attacker would use "AND 1=1" because it would evaluate to false. "OR 1=1" is the more classical example makes more sense because if it works it will evaluate to true. The regex is pretty basic though:
(%20|\x2b)[aA][nN][dD](%20|\x2b)1=[12]
Therefore, it won't match unless it sees " and 1=1" or " and 1=2".
do you have just the contextual data, or do you have the trigger packet and/or log packets?
If you're inline, you could use a drop action. If promiscuous, you might be able to use TCP resets. The real fix is to use a "white list" approach to filter input in your web applications. -
Hi,
i am a bit disappointed by the ability of cisco IPS to block sql injections, even with the new added generic sql injection signatures not long ago, still websites hosted with us are being hacked.
i know its vulnerabilities in the sites, but the command update is a lot used to hack sites, i have created a custom signature that catches "update" in small and caps, but i was surprised yesterday that the hacker used "u%pdate" and it bypassed the sensor !!
any thoughts on the subject
thanksInteresting. I'm so not a SQL expert, but I don't see how "u%pdate" is valid SQL. Why would the database interpret "u%pdate" as valid SQL? Is the application cleaning up the input before passing to the db?
IMHO, if your customers have vulnerable apps, then they need to fix them. A network based IDS simply isn't going to be the best at detecting every possible variation of injection (or anything else imo, but that's a whole different soap box). It just doesn't have the required context. Throw TLS into the mix, and most of the time coverage drops to zero. -
SQL Injection detection with IDS/IPS on cisco ASA?
Hi
Is it possible to detect or prevent SQL injection attacks using Cisco IDS/ IPS on ASA or with regular expressions?
Is there any signature available in IDS/IPS for this? And how effective it is in terms of generating correct alarms?
Thanks in advanceDeepak,
We have several signatures that detect generic SQL injection attacks in the 5930-x family of signatures. -
How to make a http request from a pl/sql procedure(URGENT)
I need to make a http request from a pl/sql procedure, can any one tell me which built-in package and which procedure/function we serve my need?
Thanks in advance.
Ram Prasad.You should use UTL_HTTP package, but before it install the JVM into DB
-
HTTPS request signed by client certificate from PL/SQL procedure
Hi All, please help.
The PL/SQL procedure connects to different web services, using both HTTP/HTTPS, for HTTPS sever certificates were used. Everything was OK.
The next service requires client to sign requests with client certificate. I made the client certificate, sign it by CA, store it in Wallet Manager.
Is here the possibility to send signed HTTPS request from PL/SQL?
If not, how to do it using Java and encapsulate for PL/SQL?
Please answer ASAP!!!It is pretty straight-forward to make HTTPS requests with UTL_HTTP.
To do so, you first need to create an Oracle wallet on the database server host with Oracle Wallet Manager. If your database resides on Windows, I believe a short-cut has been created in the Windows menu. On Linux, it can be invoked from $ORACLE_HOME/bin/owm.
Once the wallet is created, you need to make an additional call to utl_http.set_wallet(<wallet-directory>, <wallet-password>) before any utl_http.request or utl_http.begin_request calls. The <wallet-directory> is the wallet directory where you will find the cwallet.sso and/or ewallet.p12 files, using the format "file:/<wallet-directory>". For example:
utl_http.set_wallet('file:/home/oracle/wallets/my_wallet/', '123456');
When an Oracle wallet is created, it is pre-populated with common certificate authorities' certificates (e.g. Verisign). In the event that the server certificate of the HTTPS host is not signed by one of those common certificate authorities, you need to import the additional certificate authority's certificate in your wallet using Oracle Wallet Manager. -
"http request error" - SQL call sometimes works, sometimes doesn't
Hello everyone,
A bit of a random question, maybe someone has an idea...
I have a flex app that queries data from a mySQL service via http service. Overall, things work great! The queries are quick to return a result and without issues. But, when I view the website from my work PC, I get this error "HTTP Request Error", and none of the SQL calls work. Any ideas? I know my work has very tight security regulations, but I would still think it would be able to work.
I can't get a better security message because I can't set up and run flex to debug the issue, all I get is "HTTP Request Error", so who knows what it could be. I have tested my website from about 15 computers/different networks, and they all work, except my work PC. Any ideas?
And yes, the flash version is current.
Thanks!it sounds like the work security is blocking it
can you write a simple html page that fetches the data and displays it?It might give you a better idea what is happening behind flex -
I've the following header and http request.
POST http://deab/DexNETWebServices_4_0_0_4/LoginService.svc HTTP/1.1
MIME-Version: 1.0
Content-Type: multipart/related; type="application/xop+xml";start="<http://tempuri.org/0>";boundary="uuid:e4c19840-745d-45b2-90ca-12d71be4cfd9+id=1";start-info="application/soap+xml"
VsDebuggerCausalityData: uIDPo5F/qXRc4YJImqB6Ard30cQAAAAAAjIXinpIVUulXLJOsSG7yyv7Lf2yHgpHlIxvc6oeqaAACQAA
Host: deab
Content-Length: 1017
Expect: 100-continue
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
--uuid:e4c19840-745d-45b2-90ca-12d71be4cfd9+id=1
Content-ID: <http://tempuri.org/0>
Content-Transfer-Encoding: 8bit
Content-Type: application/xop+xml;charset=utf-8;type="application/soap+xml"
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing"><s:Header><a:Action s:mustUnderstand="1">http://tempuri.org/ILoginService/LoginByUserName</a:Action><a:MessageID>urn:uuid:cf410a05-23d4-4b92-a22c-329cbc19fbe7</a:MessageID><a:ReplyTo><a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address></a:ReplyTo><a:To s:mustUnderstand="1">http://deab/DexNETWebServices_4_0_0_4/LoginService.svc</a:To></s:Header><s:Body><LoginByUserName xmlns="http://tempuri.org/"><systemId>19e0ddb4-5fa5-41ee-b624-aea762865a6c</systemId><strName>FirmwareUpdateLogQueryWorker</strName><productId>0af39a3e-6549-485b-872f-b73413203998</productId><password>abc</password></LoginByUserName></s:Body></s:Envelope>
--uuid:e4c19840-745d-45b2-90ca-12d71be4cfd9+id=1--
I'm using the following code to set the header from PL/SQL.
l_http_req := UTL_HTTP.begin_request ('http://deab/DexNETWebServices_4_0_0_4/LoginService.svc', 'POST', 'HTTP/1.1');
UTL_HTTP.set_header (
l_http_req,
'Content-Type',
'multipart/related; type="application/xop+xml";start="<http://tempuri.org/0>";boundary="uuid:e4c19840-745d-45b2-90ca-12d71be4cfd9+id=1";start-info="application/soap+xml"');
UTL_HTTP.set_header (l_http_req, 'Content-Length', LENGTH (l_request));
But UTL_HTTP.get_response returns the error 400 Bad Request. How do I set MIME-Version and VsDebuggerCausalityData from the header?
Thank you for your help on this.Here is the complete code that returns the 400 Bad Request error. Thanks for your help.
DECLARE
l_request CLOB;
l_http_req UTL_HTTP.req;
l_http_resp UTL_HTTP.resp;
v_buffer VARCHAR2 (32767);
p_status_code NUMBER (9);
p_error_message VARCHAR2 (32767);
p_response CLOB;
BEGIN
l_request :=
'--uuid:e4c19840-745d-45b2-90ca-12d71be4cfd9+id=1
Content-ID: <http://tempuri.org/0>
Content-Transfer-Encoding: 8bit
Content-Type: application/xop+xml;charset=utf-8;type="application/soap+xml"
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing"><s:Header><a:Action s:mustUnderstand="1">http://tempuri.org/ILoginService/LoginByUserName</a:Action><a:MessageID>urn:uuid:cf410a05-23d4-4b92-a22c-329cbc19fbe7</a:MessageID><a:ReplyTo><a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address></a:ReplyTo><a:To s:mustUnderstand="1">http://deab/DexNETWebServices_4_0_0_4/LoginService.svc</a:To></s:Header><s:Body><LoginByUserName xmlns="http://tempuri.org/"><systemId>'
|| '19e0ddb4-5fa5-41ee-b624-aea762865a6c'
|| '</systemId><strName>'
|| 'FirmwareUpdateLogQueryWorker'
|| '</strName><productId>'
|| '0af39a3e-6549-485b-872f-b73413203998'
|| '</productId><password>'
|| 'abc'
|| '</password></LoginByUserName></s:Body></s:Envelope>
--uuid:e4c19840-745d-45b2-90ca-12d71be4cfd9+id=1--';
DBMS_OUTPUT.put_line ('request ' || l_request);
l_http_req :=
UTL_HTTP.begin_request (
'http://deab/DexNETWebServices_4_0_0_4/LoginService.svc',
'POST',
'HTTP/1.1');
UTL_HTTP.set_header (
l_http_req,
'Content-Type',
'multipart/related; type="application/xop+xml";start="<http://tempuri.org/0>";boundary="uuid:e4c19840-745d-45b2-90ca-12d71be4cfd9+id=1";start-info="application/soap+xml"');
UTL_HTTP.set_header (l_http_req, 'Content-Length', LENGTH (l_request));
UTL_HTTP.set_header (l_http_req, 'MIME-Version', '1.0');
UTL_HTTP.set_header (
l_http_req,
'VsDebuggerCausalityData',
'uIDPo5F/qXRc4YJImqB6Ard30cQAAAAAAjIXinpIVUulXLJOsSG7yyv7Lf2yHgpHlIxvc6oeqaAACQAA');
UTL_HTTP.write_text (l_http_req, l_request);
DBMS_LOB.createtemporary (p_response, FALSE);
l_http_resp := UTL_HTTP.get_response (l_http_req);
BEGIN
LOOP
UTL_HTTP.read_text (l_http_resp, v_buffer, 32767);
DBMS_OUTPUT.put_line (v_buffer);
DBMS_LOB.writeappend (p_response, LENGTH (v_buffer), v_buffer);
END LOOP;
EXCEPTION
WHEN UTL_HTTP.end_of_body
THEN
NULL;
END;
UTL_HTTP.end_response (l_http_resp);
p_status_code := l_http_resp.status_code;
p_error_message := l_http_resp.reason_phrase;
p_response := REPLACE (p_response, '<', '<');
p_response := REPLACE (p_response, '>', '>');
DBMS_OUTPUT.put_line (
'Status: ' || p_status_code || '-' || p_error_message || ': ' || p_response);
END; -
Pl/sql call to a WS: HTTP request error
Hello,
I am trying to call a web service from a pl/sql package and am getting this error from the Apps (10g database)
ORACLE error 29273 in FDPSTP
Cause: FDPSTP failed due to ORA-29273: HTTP request failed
ORA-06512: at "SYS.UTL_HTTP", line 1029
ORA-28862: SSL connection failed
ORA-06512: at "APPS.CM_TEST_WS_INVOKE", line 19
ORA-06512: at line 1
Could anyone help me resolve this so that I can call the web service?
Any help would be greatly appreciated.
-CC
Edited by: user11121346 on May 1, 2012 10:17 AMHi,
As this is a SSL call, you need to configure the wallet. Basically if it is a One-way SSL (only webservice server gets authenticated), you need to follow the following steps.
1.) Extract the Public Certificate of the Target Web service from using the browser
2.) Import this certificate in the Oracle Wallet using Oracle Wallet Manager
3.) The schema user trying to invoke the service should have proper ACL permissions
4.) Test your connection from the R12 SQL directly using below SQL statement. If below is success you can wrap the service call in a package.
select utl_http.request('https://<service URL>',
NULL, --Proxy Settings if any
'file:<Wallet_Location>', -- on R12
<Wallet_Password>
from dual;Let me know if you still face any issues.
Regards,
Neeraj Sehgal -
Hello all,
Someone is telling me that a site of mine is vulnerable to a
hacking
technique called "SQL injection". They cited a URL such as
http://www.mydomain.com/gallery.cfm?VarCatID=29
as an example.
I Googled SQL injection, and found a lot of information,
which I'm in the
midst of reading.
What I really want to know is, how serious a risk is this?
Should I be
taking action, and if so, what?
Aren't there millions of sites that use that type of URL
string?? Are they
all unsafe too?
Patty Ayers | www.WebDevBiz.com
Free Articles on the Business of Web Development
Web Design Contract, Estimate Request Form, Estimate
WorksheetThank you, Tom!
Patty Ayers | www.WebDevBiz.com
Free Articles on the Business of Web Development
Web Design Contract, Estimate Request Form, Estimate
Worksheet
"Tom Muck" <[email protected]> wrote in
message
news:ecuu0f$dbn$[email protected]..
> If you are passing an integer on a querystring, make
sure you validate
> that an integer is being passed, either by using a
cfparm, cfqueryparam,
> or by using the val() function on the passed querystring
variable:
>
> <cfquery name="blah" datasource="#mydsn#">
> SELECT * FROM mytable WHERE catid =
> <cfqueryparam cfsqltype="cf_sql_integer"
value="#url.VarCatID#">
> </cfquery>
>
> The DW 8.0.2 update changed the way that DW does this so
injection is no
> longer a concern.
>
> --
> --
> Tom Muck
> co-author Dreamweaver MX 2004: The Complete Reference
>
http://www.tom-muck.com/
>
> Cartweaver Development Team
>
http://www.cartweaver.com
>
> Extending Knowledge Daily
>
http://www.communitymx.com/
>
>
> "P@tty Ayers"
<[email protected]> wrote in message
> news:ecut8j$cg6$[email protected]..
>> Hello all,
>>
>> Someone is telling me that a site of mine is
vulnerable to a hacking
>> technique called "SQL injection". They cited a URL
such as
>>
http://www.mydomain.com/gallery.cfm?VarCatID=29
as an example.
>>
>> I Googled SQL injection, and found a lot of
information, which I'm in the
>> midst of reading.
>>
>> What I really want to know is, how serious a risk is
this? Should I be
>> taking action, and if so, what?
>>
>> Aren't there millions of sites that use that type of
URL string?? Are
>> they all unsafe too?
>>
>>
>> --
>> Patty Ayers | www.WebDevBiz.com
>> Free Articles on the Business of Web Development
>> Web Design Contract, Estimate Request Form, Estimate
Worksheet
>> --
>>
>>
>>
>>
>
> -
SQL Injection, replace single quote with two single quotes?
Is replacing a single quote with two single quotes adequate
for eliminating
SQL injection attacks? This article (
http://www.devguru.com/features/kb/kb100206.asp
) offers that advice, and it
enabled me to allow users to search name fields in the
database that contain
single quotes.
I was advised to use "Paramaterized SQL" in an earlier post,
but I can't
understand the concept behind that method, and whether it
applies to
queries, writes, or both.Then you can use both stored procedures and prepared
statements.
Both provide better protection than simply replacing
apostrophes.
Prepared statements are simple:
Set myCommand = Server.CreateObject("ADODB.Command")
...snip...
myCommand.CommandText = "INSERT INTO Users([Name], [Email])
VALUES (?, ?)"
...snip...
myCommand.Parameters.Append
myCommand.CreateParameter("@Name",200,1,50,Name)
myCommand.Parameters.Append
myCommand.CreateParameter("@Email",200,1,50,Email)
myCommand.Execute ,,128 'the ,,128 sets execution flags that
tell ADO not to
look for rows to be returned. This saves the expense of
creating a
recordset object you don't need.
Stored procedures are executed in a similar manner. DW can
help you with a
stored procedure through the "Command (Stored Procedure)"
server behavior.
You can see a full example of a prepared statement by looking
at DW's
recordset code after you've created a recordset using version
8.02.
"Mike Z" <[email protected]> wrote in message
news:eo5idq$3qr$[email protected]..
>I should have repeated this, I am using VBScript in ASP,
with an Access DB.
> -
Can CSS route based on cookie info in HTTP request
Hi
I am new to CSS and am interested as it might be able to provide a solution to a problem I have seen.
We currently have 3 Windows Servers running an ASP-based web application with a clustered SQL Server backend. The front end uses windows load balancing to distribute the load. All 3 servers are configured the same and there is only one application.
The problem lies with the way an the application maintains session state. I am told it uses a non-persistant cookie on the client which corresponds to a session object on the server. This is opposed to maintaining state in central location such as the database. Obviously this means the client needs to be stuck to a particular server for that session. This is currently achieved by setting the Windows NLB to single affinity which places traffic from a particular IP address to the same server. This does work but the clients source IP is changed by a downstream firewall to a NAT overload address meaning all clients appear with the same IP address (different port) and hence always end up on just one server.
The obvious next step in my mind would be to change the way NAT is done but this is not possible. The next obvious idea would be to change the application so that it maintains state in the database so the affinity of the Windows NLB could be disabled meaning requests would be dealt with using the source IP and port and hence distributed evenly. I am told this cannot be done either :) Joy!
So I have begain to look at other possible solutions. Apologies for my very limited knowledge on the CSS as I am trying to get my head around how it can be configured. I am thinking that it may be able to help me if I used it instead of Windows NLB. I am interested in the way you can use Layer 5 stickiness. Would it be able to examine the cookie in the HTTP request and route the traffic to the correct server?
I am aware that this will not alleviate the failover issue. If one of the servers were to fall over then the client would have to login again, however I am under the impression that this is acceptable behaviour. The main driver here is to provide load balancing to improve application performance by using all resources opposed to just one.
Many many thanks to anyone who can give me advise on this.Hi Gilles
Thanks for the info. Sounds like we are on the right path. Unfortunately I am unable to get much information from the developers. Long story. I did logon to the system whilst doing a network trace. The following is what I found in the HTTP header:
Hypertext Transfer Protocol
GET /XXXXX/Includes/style.asp HTTP/1.1\r\n
Accept: */*\r\n
Referer:
http://xxx.xxxxx.xxx/xxxxx/login.asp\r\n
Accept-Language: en-gb\r\n
Accept-Encoding: gzip, deflate\r\n
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)\r\n
Host: xxxx.xxxxx.xxxxx\r\n
Connection: Keep-Alive\r\n
Cookie: ASPSESSIONIDQCBCDSCR=AEHBCJEDDGMMCCBHBICLELGD\r\n
\r\n
Why do you configure 2 services? How would I go about this given the cookie in the HTTP request?
Many thanks
Gary -
SQL Injection and variable substitutions
Hello helpful forum, I'm trying to understand what really goes on "behind" the scenes
with the variable substitutions in order to protect from sql injections.
I'm using apex 3.0.0.00.20
The trickiest component seems to be a Report of type "pl/sql returning sql", since
multiple dynamic sql interpretations are done there.
consider the following innocent looking disaster:
DECLARE
l_out VARCHAR2(2000);
BEGIN
l_out := 'select * from test_injection t where t.name like ''%' || :NAME || '%''';
RETURN l_out;
END;
if NAME is a single quote the report will return:
failed to parse SQL query: ORA-00911: invalid character
which hints to the fact that NAME is not escaped, and you are in fact able to access db functions
as in: '||lower('S')||'
I also tried to put there a function that runs in a autonomous transaction to log its calls, and
I see that it's called five times for each request.
consider now the similar solution (notice the two single quotes):
DECLARE
l_out VARCHAR2(2000);
BEGIN
l_out := 'select * from test_injection t where t.name like ''%'' || :NAME || ''%''';
RETURN l_out;
END;
with this second example nothing of the above is possible.
So my theory (please confirm it or refute it) is that there is a first variable substitution done
at the pl/sql level (and in the second case :NAME is just a string so nothing is substituted).
Then the dynamic sql is executed and it returns the following string:
select * from test_injection t where t.name like '%' || :NAME || '%'
now another substitution is done (at an "APEX" level) and then query is finally executed to return
the rows to the report.
The tricky point seems to be that the first substitution doesn't escape the variable (hence the error
with the single quote), while the second substitution does.
Please let me know if this makes sense and what are the proper guidelines to avoid sql injection with
the different kinds of reports and components (SQL, pl/sql returning sql, processes, ...)
ThanksGiovanni,
You should build report regions like this using the second method so that all bind variables (colon followed by name) appear in the resultant varchar2 variable, l_out in your example, which will then be parsed as the report query. This addresses not only the SQL injection problem but the shared-pool friendliness problem.
Scott
Maybe you are looking for
-
How do i re-install my CS4, with no discs?
How do i re-install my CS4, with no discs? I have InDesign CS from 2003. At some point I upgraded to Adobe CS4, but I did that online, and never had a disc. I had to clear my Mac, and reinstall my Mac when it crashed. I uninstalled my Adobe CS4, an
-
APEX4: button starting pl/sql in a report
Hello I'm on Apex 4.0 on 11g. I have a report, in which I have to put a button on each line in the report (or a link) that starts a pl/sql procedure (with various parameters) and then refreshes the page (since the pl/sql affects the contents). What i
-
Gig DWDM connection between 2 x 3750's
We have a customer that has a gig DWDM connection between 2 cat3750's. The interfaces are SMF. He is complaining of throughput issues. He has a pair of AIX servers transfering a file between them using we believe RPC (not 100% sure). If he does it ac
-
Extracting all characters of a postcode before the space
I am trying to extract the first characters from a postcode into a separate field that can then be used as a parameter. If i search on postcodes starting with (for example) M1, this is bring out not only M1 but also M11, M12, etc. I have found a Whi
-
How to move Photoshop CS5 to my new computer?
On my Imac I have Photoshop CS5. I'm satisfied with it and don't want to spend money to upgrade it to the latest version of Photoshop. I bought the latest Imac and I want to move Photoshop to this computer. It doesn't have a CD-player anymore, so I h