Howto escape special characters if using regexp_replace & regexp_substr

Similar Messages

• SQL Injections and XSS - Escaping Special Characters

  Hi, hope someone can help in regards to security and SQL Injections and XSS.
  We are using APEX 4.0.2 on Oracle 11.2.0.2.
  1. It seems the special characters we have entered into normal 'Text Items' 'Text Areas' etc are not being escaped (ie <,>,&, '). If I enter them into the field (ie Surname) they are saved as is into session state and the database - no escaping. Am I missing something such as an environment setting as I thought the "smart" oracle escaping rules would cater for this.
  Surely I don't have to manually do each of then.
  Just to confirm, am I looking in the correct places to assess if the characters are escaped or not - ie should they show as '&amp;&lt;&gt;' in session state and/or the database ?
  2. Also, for the Oracle procedures such as '‘wwv_flow.accept’ , ‘wwv_flow.show’ , 'wwv_flow_utilities.show_as_popup_calendar' - do these escape special characters. If not, then they must be vulnerable to SQL Injections attacks.
  Thx
  Nigel

  Recx Ltd wrote:
  Just to pitch in, escaping values internally (either in the database or session state) is extremely problematic. Data searches, string comparison, reporting and double escaping are all areas which suffer badly when you do this.
  Stripping characters on input can also cause problems if not considered within the context of the application. Names such as "O'Niel", statistical output such as "n < 300", fields containing deliberate HTML markup can be annoying to debug. In certain situations stripping is totally ineffective and may still lead to cross-site scripting.
  Apex applications that share the database with other applications will also be affected.
  The database should contain 'raw' unfettered data and output should be escaped properly, as Joel said, at render time. Either with Apex attributes or using PLSQL functions such as htf.escape_sc() as and when required.Do not needlessly resurrect old threads. After a couple of months watches expire and the original posters are not alerted to the presence of your follow-up.
  Shameless plug: If you are in the game of needing to produce secure Apex code, you should get in touch.This crosses the line into spam: it violates the OTN Terms of Use&mdash;see 6(j).
  Promotional posts like this are liable to be removed by the moderators.

• How to escape special characters in Simple Transformation

  Hi Experts,
  I have got a problem to get a well formed xml document from the below simple transformation. The content of maktx contains
  special characters like & <, which are not allowed in a well formed XML-Document. But the result of the Simple Transformation
  contains this charcters even after the transformation as you can the in the result below. Has anyone a hint how to escape the
  characters included in the maktx.
  The transformation for maktx, should be something like
  Before: Material & < TEST
  After: Material &amp &lt TEST
  Report wihich calls the simple transformation
  types:
  BEGIN OF t_mat,
     matnr type matnr,
     maktx type maktx,
  end of t_mat.
  Data:
    mat type t_mat,
    xml_stream type xstring.
  START-OF-SELECTION.
  mat-matnr = '4711'.
  mat-maktx = 'Material & < Test'.
  CALL TRANSFORMATION ztest_st2
          SOURCE mat = mat
          RESULT XML xml_stream.
  CALL FUNCTION 'DISPLAY_XML_STRING'
    EXPORTING xml_string = xml_stream.
  Simple Transformation
  <?sap.transform simple?>
  <tt:transform xmlns:tt="http://www.sap.com/transformation-templates">
    <tt:root name="MAT"/>
    <tt:template>
      <Leistungsschild>
          <CHARACT> MATNR </CHARACT>
          <CHARACT_DESCR> Materialnummer </CHARACT_DESCR>
          <VALUE tt:value-ref="MAT.MATNR"/>
          <CHARACT> MAKTX </CHARACT>
          <CHARACT_DESCR> Materialkurztext </CHARACT_DESCR>
          <VALUE tt:value-ref="MAT.MAKTX" />
      </Leistungsschild>
    </tt:template>
  </tt:transform>
  RESULT
  <?xml version="1.0" encoding="utf-8" ?>
  <Leistungsschild>
    <CHARACT>MATNR</CHARACT>
    <CHARACT_DESCR>Materialnummer</CHARACT_DESCR>
    <VALUE>4711</VALUE>
    <CHARACT>MAKTX</CHARACT>
    <CHARACT_DESCR>Materialkurztext</CHARACT_DESCR>
    <VALUE>Material & < Test</VALUE>   </Leistungsschild>

  Hi Sandra,
  First of all thaks for your quick answer to my problem.
  I see what you mean and get the same result, if I am using data-type string instead of xstring. But the recommendation in the XML-Books of SAP is to use XSTRING to save memory and circumflex problems between Codepages, when writing the XML-Stream to a filesystem.
  As you can see in the code abvoe I am using a SAP-FM to display the XML-Stream and this FM works only with XSTRING´s,
  that is one reason why I don´t understand that it displays it in the wrong way.
  Even the Debugger shows me for the XSTRING the wrong result. Does all that mean that the escaping will not be applyed if you are working with XSTING´s??

• Escape special characters in url for redirection

  In my web page, I want all the characters of the URL to be lower case. For that I created the following method:
  private bool UrlFormatoCorrecto(string url)
  bool formatoCorrecto = true;
  bool upperCa = url.Any(c => char.IsUpper(c));
  if (url.Any(c => char.IsUpper(c)))
  formatoCorrecto = false;
  if (url.Contains(" ") || url.Contains("+"))
  formatoCorrecto = false;
  return formatoCorrecto;
  This works like a charm until a special character appears. The url that I get then will be the following:
  http://localhost/web/coches/proven%C3%A7a-aribau,-08036-barcelona,-barcelona
  So I have upper case characters. When I redirect it using the following code:
  if (!UrlFormatoCorrecto(urlActual))
  Response.RedirectPermanent(urlActual.Replace(" ", "-").Replace("+", "-").ToLower());
  I get the code again with the same URL with upper case. How can I escape the special characters so they won't bother me anytime I want to make the redirection?

  hello,
  you could escape special caracters with :
  Regex.Escape Method
  Regards
  Cédric

• Strategies for escaping special characters.

  Hi all,
  Our app(built using Workshop) needs to have a generic way of scrubbing special
  characters that a user might enter in the UI,and which might cause our sql that
  queries the DB to become malformed. To explain further,some of our DB controls
  are not using PreparedStatements to set Strings..instead, we are constructing
  the sql as a java string like:
  String myQuery="Select * from * where TOUPPER(name) like"+param.ToUpperCase().
  and then we do:
  Statement stmt=conn.createStatement();
  stmt.executeQuery(myQuery).
  In such cases, Oracle JDBC driver does not escape any special chars in the String
  param,and fails.Other than converting all our queries to use PreparedStatements,
  is there a generic pattern/Util class(mebbe RequestUtils) or some way of using
  the Servlet Filter API to scrub out any special chars that are input by the user?
  Thanks in advance.
  Vik.

  ServletFilter is the way to go on this one. Don't think there is anything built
  into Servlet spec that handles these characters, however, there are a number of
  sample filters that do such a task. I think there is a sample in either the O'Reilly
  book on Servlets or Core Servlets.
  "Vik" <[email protected]> wrote:
  >
  Hi all,
  Our app(built using Workshop) needs to have a generic way of scrubbing
  special
  characters that a user might enter in the UI,and which might cause our
  sql that
  queries the DB to become malformed. To explain further,some of our DB
  controls
  are not using PreparedStatements to set Strings..instead, we are constructing
  the sql as a java string like:
  String myQuery="Select * from * where TOUPPER(name) like"+param.ToUpperCase().
  and then we do:
  Statement stmt=conn.createStatement();
  stmt.executeQuery(myQuery).
  In such cases, Oracle JDBC driver does not escape any special chars in
  the String
  param,and fails.Other than converting all our queries to use PreparedStatements,
  is there a generic pattern/Util class(mebbe RequestUtils) or some way
  of using
  the Servlet Filter API to scrub out any special chars that are input
  by the user?
  Thanks in advance.
  Vik.

• Escape special characters for OData response

  Hi all,
  I'm facing a problem on HTTP response when some special characters are in my entity fields.
  For example I've got a Edm.String field which has characters like ###, ", < (two number signs ## are ok, but three invoke an error)
  When I set output format to xml via URI parameter $format=xml, I get following error:
  <message xml:lang="en">In the context of Data Services an unknown internal server error occured</message>
  Exception /IWCOR/CX_DS_INTERNAL_ERROR in class /IWCOR/CL_DS_EP_WRITER_OUTPUT method /IWCOR/IF_DS_EP_WRITER_OUTPUT~WRITE and Line 39
  If I use JSON as output format, HTTP response code is 200!!, but payload just ends on the character which cannot be interpreted:
  (ABAP)-JSON generator can handle double quotes much better than XML format:
  How can I escape these output strings, without adding chars which will appear in response payload?
  Thanks,
  Steffen

  Hi Uwe & Ron,
  thanks for your ideas, but maybe we're not talking about binary data?! This field is an example from TADIR table.
  OData entity definition for this field:
  Versid
  Edm.String
  0
  0
  20
  ABAP field definition:
  Data Type        CHAR  -  Character String
  No. Characters       20
  Decimal Places        0
  Output Length        20
  Convers. Routine    <empty>
  Uwe did you mean another debugger view?
  SE16 output for this line:
  What if I want to store and receive data with these special chars like ####, ", <, >,... in a ABAP char field (respective OData Edm.String)?
  Thanks,
  Steffen

• Problem with Special characters(Russian) using DynamicConfiguration

  Hi,
  I have a mail-RFC scenario where I am using adapter-specific message attributes and DynamicConfiguration to retrieve mail subject.It works fine.
  We have a problem when the subject contains Russian special characters.In this case,whole mail subject gets converted into an irrelevant string.
  Can anyone please suggest how to handle special characters in DynamicConfiguration using ASMA .
  Thanks a lot for your help in advance.
  Regards,
  Shweta

  Your UDF could be something like this:
  String output = null;
  String strs[] = input.split("\\?");
  String charset = strs[1];
  String encoding = null;
  switch (strs[2].charAt(0)) {
       case 'Q' :
            encoding = "quoted-printable";
            break;
       case 'B' :
            encoding = "base64";
            break;
       default :
            break;
  String subject = strs[3];
  try {
       InputStream is = new ByteArrayInputStream(subject.getBytes());
       InputStream dis = MimeUtility.decode(is, encoding);
       ByteArrayOutputStream out = new ByteArrayOutputStream();
       byte[] b = new byte[4096];
       for (int n;(n = dis.read(b)) != -1;) {
            out.write(b, 0, n);
       output = out.toString(charset);
  } catch (Exception e) {
       //implement catch...
  return output;
  where input is the input string.
  For test purposes, use
  String input = "=?KOI8-R?B?Rnc6IDEwMjEwMTMwLzA1MTEwNi/wMDE3NDkzLw==?=";
  or
  String input = "=?utf-8?Q?Auftragsbest=C3=A4tigung?=";
  Regs,
  Henrique.

• Have a problem in Numbers with entering data directly into a cell when a table reaches a certain size and special characters are used?

  I am creating a list of words with special characters in some of them. I get to a point where I cannot enter data directly into the cell. I have to use the data entry bar at the top in the toolbar. Any solutions available?
  This is the table I am creating...
  From row 25 on, I am only able to enter data into the cell through the toolbar at the top and not directly into the cell itself. I believe that this problem originates from the special characters I have inserted in the previous records because if I do not use special characters, then the spreadsheet acts flawlessly. Have there been issues in Numbers with data entry, the size of a table, and using special characters?

  I would try removing the rows with "special" characters one at a time to see which one is causing the problem

• Urgent!!!!! escape special characters like -,& -

  Hi
  select prt_id from pr_prt where contains(prt_id,'04801\-')>0;
  The above query returns foll
  04801
  04801-04051
  I was expecting the result to be 04801-04051.
  does any one hv any idea abt this?
  This applies to all special characters if they are part of search string.
  regards
  priya
  null

  Interesting question...
  The API says...
  Quotation
  \      Nothing, but quotes the following character
  \Q      Nothing, but quotes all characters until \E
  \E      Nothing, but ends quoting started by \QTry it... and please could you post your code when you're done... I might find it useful... and maybe I can even polish it a bit.... quid pro quo.
  Cheers. Keith.

• Escaping special characters

  Environment:
  Client: win2k sp4, 10.2 client
  Server: 9.2 on solaris 9
  Is there any way to set an escape character?
  Many times we have '&' characters in strings in procedures, and when I try to compile them sqldeveloper prompts for a value thinking that it is a variable.
  I've tried the default '\', and 'set escape on' doesn't work either.
  Would be even better if there was an option in sqldeveloper to tell it to ignore the '&' character alltogether.
  Thanks.

  not really the answer I was looking for :(
  the devs would end up driving me nuts wondering what all the CHR stuff is in their code.
  i guess for now, i'll just keep using PLedit to compile all the procs that have any special chars.
  ...someday we'll have one tool that does everything ;)

• Escaping special characters in SECURITY_PRINCIPAL

  I am trying to connect to AD-LDAP with
  env.put(Context.SECURITY_PRINCIPAL, "CN=cn /18,CN=Users,DC=company,DC=com");
  As you can see I have a / character in my DN. I cannot get a context using this security_principal, I am always getting javax.naming.AuthenticationException. When my DN does not contain / or any special character everything works fine. I thought I had to maybe escape / so I tried
  env.put(Context.SECURITY_PRINCIPAL, "CN=cn \\/18,CN=Users,DC=company,DC=com");
  env.put(Context.SECURITY_PRINCIPAL, "CN=cn \\\\/18,CN=Users,DC=company,DC=com");
  env.put(Context.SECURITY_PRINCIPAL, "CN=cn \\\\\\/18,CN=Users,DC=company,DC=com");
  without any success.
  Thanks in advance,
  Nikola

  That did not seem to help. By the way, I was really looking for a more generic answer since for example I have the same problem when my SECURITY_PRINCIPAL DN includes /, \, or ' characters.

• How to escape special characters in a region title

  I have created a drill down report where the second report is filtered by a value chosen in the first report. I am using &Pn_field. syntax to pass the name of the select value to the region title of the second report. Some of the returned values have a ':' in them and therefore the text does not print after the ':'. How do I escape the ':' in the region title?
  regards
  Paul P

  Paul,
  I think your question is "How do I use f?p URL syntax to pass data values to a page where the data includes a colon?" (Please correct me if that's not the issue.) The answer is, you can't. Same with commas. HTML DB reserves those two characters for the f?p request syntax. You'll have to save the string into the item before the page branch. There is no restriction on what characters can be used in a region title, it's just HTML-formatted text, except that you must escape anything that looks like HTML unless you want the browser to treat it as HTML. There are restrictions, however, on what characters you can pass in URLs in general and you must take care to escape them properly, e.g., ?, &, whitespace.
  And do speak up if I've missed the point.
  Scott

• Dynamic Images in PDF and Escaping Special Characters

  I used the following to create my own PDFs with dymnamic images:
  http://marcsewtz.blogspot.com/2012_02_01_archive.html (Dynamic Images in PDF - What 32k Limit? )
  I have installed this application on Oracle's free workspace to test.
  The issue I am having is that when there is a special character in the description, such as <>'"& then the the PDF will not open. I have tried using the dmbs_xmlgen.convert to convert the description but haven't had any luck.
  I'm a complete novice with xml. Any help with this is greatly appreciated.
  Thanks,
  Glen

  I have been able to find a solution, but it's not completely perfect. I have changed the "description" field as follows:
  XMLCdata(replace(description,''&'',''and'')) description,
  The characters greater than (>), less than (<), single qoute('), and double quote (") can now all be in the description and will not cause errors. For some reason, I couldn't get the & not to give an error no matter what I tried, so I just replaced the & with the word "and". This solution will work for my needs, but it would be nice to be able to get the & to display.
  Does anyone know of a way to get the & to display correctly?
  Thanks again,
  Glen
  The complete code I am using is below:
  declare
  l_print_layout clob;
  l_xml_data clob;
  begin
  -- load print layout from database
  for c1 in (
  select layout from eba_pdfimg_layouts where id = :P1_LAYOUT
  ) loop
  l_print_layout := wwv_flow_utilities.blob_to_clob(c1.layout );
  end loop;
  -- generate XML data
  for c2 in (
  select dbms_xmlgen.getxml('
  select
  id,
  file_name,
  mime_type,
  XMLCdata(replace(description,''&'',''and'')) description,
  -- description,
  blob2clobase64(image,''Y'') image
  from eba_pdfimg_images
  ') xml_data from dual
  ) loop
  l_xml_data := c2.xml_data;
  end loop;
  -- download print document
  wwv_flow.g_page_text_generated := true;
  apex_util.download_print_document (
  p_file_name => 'image_demo',
  p_content_disposition => 'ATTACHMENT',
  p_report_data => l_xml_data ,
  p_report_layout => l_print_layout,
  p_report_layout_type => 'rtf',
  p_document_format => :P1_FORMAT
  end;

• Escaping special characters in hidden fields

  I am using a hidden field to pass values to the servlet. I am populating the hidden field from a bean. The hidden field can have any string value. My problem is that the value attribute on my hidden field is double quoted and if there is a double quote in the value of the String from my bean it messes my HTML up. Is there an easy workaround for this?
  e.g.
  <jsp:useBean id="myObject" scope="request" class="MyObject"/>
  <input type="hidden" name="myValue" value="<%=myObject.getValue()%>">
  If myObject.getValue() returns a string: 60" Mower this will mess my HTML up.
  Any suggestions?

  First off, Is the Pattern and Matcher specific to JDK 1.4.1? We are currently using 1.2.2? If this is a viable solution, is there a similar one in JDK 1.2.2?
  Also, I still don't think it's possible in HTML to escape characters that are values of attributes. Try running the following HTML code:
  <html>
  <head>
     <script language="JavaScript">
     function getHiddenValue(){
        alert(document.myForm.hiddenDescription.value);
     </script>
  </head>
  <body>
     <form name="myForm">
     <p>
        <input type="hidden" name="hiddenDescription" value="60\" Mower">
     </p>
     <p>
        <input type="button" onclick="getHiddenValue()" value="Hidden Field">
     </p>
     </form>
  </body>
  </html>

• Escaping special characters in RAW/BLOB

  Hi!
  I have a BLOB column that needs to be exported into a CSV Textfile. Sounds a bit scary but works fine when you escape the critical bytes.
  I need to do the following replacement:
  5C -> 5C 5C ( = \ )
  22 -> 5C 22 ( = " )
  00 -> 5C 30 ( = ?? )
  0A -> 5C 0A ( = LF )
  0D -> 5C 0D ( = CR )
  If I use the replace function on my raw string, I can replace the bytes representing characters or numbers without a problem. " and \ also works fine but the nonprintable ones don't work - I guess implicit type conversion to varchar is the cause.
  Anyway, I want to replace this stuff, but I couldn't find any native binary replace function. How can this be done? Do I have to write my own function? I fear byte by byte manipulation in PL/SQL on large data will not be very performing...
  Thanks, Mac

  so here's my function, feel free so use
  function get_raw_escaped (
  pv_data_source raw
  return raw
  is
  lv_data_escaped raw(32767) := null;
  lv_length          number;
  lv_offset          number;
  lv_chunk_bin     raw(100);
  lv_chunk_hex     varchar2(100);
  begin
       lv_length := utl_raw.length(pv_data_source);
       if lv_length = 0 then return null; end if;
       for lv_offset in 1..lv_length loop
            lv_chunk_bin := utl_raw.substr (pv_data_source, lv_offset, 1);
            lv_chunk_hex := rawtohex(lv_chunk_bin);
            CASE lv_chunk_hex
                 WHEN '00' THEN lv_chunk_hex := '5C30';
                 WHEN '0A' THEN lv_chunk_hex := '5C0A';
                 WHEN '0D' THEN lv_chunk_hex := '5C0D';
                 WHEN '22' THEN lv_chunk_hex := '5C22';
                 WHEN '5C' THEN lv_chunk_hex := '5C5C';
            ELSE null;
            END CASE;
            lv_chunk_bin := hextoraw(lv_chunk_hex);
            lv_data_escaped := utl_raw.concat(lv_data_escaped, lv_chunk_bin);
       end loop;
       return lv_data_escaped;
  end;