Is ADDT build to support anti sql injection

I was wonderering if i still have to use the mysql_real_escape_string to help againts sql injection or ADDT is build with these anti sql injection mechanism.

Hi,
regardless if it´s a native Dreamweaver form or one that´s built with ADDT, it´s actually Dreamweaver which cares for that, as each & every form page has the following code inserted on top:
if (!function_exists("GetSQLValueString")) {
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "")
$theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;
$theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);
switch ($theType) {
case "text":
$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
break;
case "long":
case "int":
$theValue = ($theValue != "") ? intval($theValue) : "NULL";
break;
case "double":
$theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL";
break;
case "date":
$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
break;
case "defined":
$theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
break;
return $theValue;
Cheers,
Günter Schenk
Adobe Community Expert, Dreamweaver

Similar Messages

SQL Injection concerns

I have been studying sql injection attacks and the
mysql_real_escape function.
I read the adobe technote about sql injection and it noted
that Dreamweaver 8.0 incorporates anti-sql injection code to
prevent attacks and it specifically refers to Add, Delete, and
Update; Filtered Recordsets, and Login User server behaviors. Can
anyone please confirm this to put my mind at ease?
The Search form and results page uses a filtered recordset,
so can I presume that it is guarded from attack?
Can you tell me of any areas that I need to add anti-sql
injection code myself?
Thank you so much for your help!

EviePhillips wrote:
> The code on this second page (the one where the form
posts to) ECHOs the form
> variables. Do I need to enter the
mysql_real_escape_string around each of the
> ECHOed posted form variables?
No, mysql_real_escape_string() is used only when inserting
user input
values into a database. You cannot use it without a database
connection.
However, you should pass the values to htmlentitities()
before
displaying them in your page. You can do this by accessing
the Format
menu in the Dynamic Text dialog box. After using the Bindings
panel to
insert the value, switch to the Server Behaviors panel, and
double-click
the Dynamic Text entry to open the dialog box.
> I am then going to use the ADD Record server behavior to
add the data to my
> database from this page, which based on your counsel is
fully protected from
> sql injection.
>
> You are very kind for sharing your knowledge!
> EP
>
David Powers, Adobe Community Expert
Author, "The Essential Guide to Dreamweaver CS4",
"PHP Solutions" & "PHP Object-Oriented Solutions"
http://foundationphp.com/

Dreamweaver CS3 and sql injection....

Any news if Dreamweaver CS3 will have the same "problems"
brought on by the
8.0.2 update to Dreamweaver 8?
Thanks!

Excellent...glad to hear it and I look forward to getting
CS3. I held off
on 8 because of the so called problems.
"Murray *ACE*" <[email protected]> wrote
in message
news:[email protected]...
> Yes, that's what I do. Honestly, I've not seen any
problems there.
>
> --
> Murray --- ICQ 71997575
> Adobe Community Expert
> (If you *MUST* email me, don't LAUGH when you do so!)
> ==================
>
http://www.dreamweavermx-templates.com
- Template Triage!
>
http://www.projectseven.com/go
- DW FAQs, Tutorials & Resources
>
http://www.dwfaq.com - DW FAQs,
Tutorials & Resources
>
http://www.macromedia.com/support/search/
- Macromedia (MM) Technotes
> ==================
>
>
> "Pizza Good" <[email protected]> wrote in
message
> news:[email protected]...
>>I think it comes up more when you have a form and
pass the values to a
>>recordset which uses those values to query and filter
a recordset.
>>
>>
>> "Murray *ACE*"
<[email protected]> wrote in message
>> news:[email protected]...
>>>I am processing form input, which I believe is
where SQL injection comes
>>>in.
>>>
>>> --
>>> Murray --- ICQ 71997575
>>> Adobe Community Expert
>>> (If you *MUST* email me, don't LAUGH when you do
so!)
>>> ==================
>>>
http://www.dreamweavermx-templates.com
- Template Triage!
>>>
http://www.projectseven.com/go
- DW FAQs, Tutorials & Resources
>>>
http://www.dwfaq.com - DW FAQs,
Tutorials & Resources
>>>
http://www.macromedia.com/support/search/
- Macromedia (MM) Technotes
>>> ==================
>>>
>>>
>>> "Pizza Good" <[email protected]> wrote
in message
>>> news:[email protected]...
>>>> That's good, or perhaps you are not building
the types of sites that
>>>> may encounter the so called problems?
>>>>
>>>>
>>>> "Murray *ACE*"
<[email protected]> wrote in message
>>>> news:[email protected]...
>>>>>I have to say that I've used 8.0.2 with
such things quite a bit and not
>>>>>encountered *any* of the posted problems.
>>>>>
>>>>> --
>>>>> Murray --- ICQ 71997575
>>>>> Adobe Community Expert
>>>>> (If you *MUST* email me, don't LAUGH
when you do so!)
>>>>> ==================
>>>>>
http://www.dreamweavermx-templates.com
- Template Triage!
>>>>>
http://www.projectseven.com/go
- DW FAQs, Tutorials & Resources
>>>>>
http://www.dwfaq.com - DW FAQs,
Tutorials & Resources
>>>>>
http://www.macromedia.com/support/search/
- Macromedia (MM) Technotes
>>>>> ==================
>>>>>
>>>>>
>>>>> "Paul Whitham AdobeCommunityExpert"
<[email protected]> wrote in
>>>>> message
news:[email protected]...
>>>>>> Using stored procedures is a good
safe guard against SQL injection
>>>>>> because you have to define your
parameter types, in much the same way
>>>>>> that the parameters in the 8.0.2
worked.
>>>>>>
>>>>>> Yes it did break a number of
extensions because the underlying code
>>>>>> was completely rewritten but it is
my understanding that most of
>>>>>> these were subsequently patched to
work with it.
>>>>>>
>>>>>> --
>>>>>> Paul Whitham
>>>>>> Certified Dreamweaver MX2004
Professional
>>>>>> Adobe Community Expert - Dreamweaver
>>>>>>
>>>>>> Valleybiz Internet Design
>>>>>> www.valleybiz.net
>>>>>>
>>>>>> "Pizza Good"
<[email protected]> wrote in message
>>>>>>
news:[email protected]...
>>>>>>>I think what he is referring to
is the sql injection "prevention"
>>>>>>>code that was introduced in the
8.0.2 update. I read a bunch of
>>>>>>>issues related to the way
recordsets were coded and that a page that
>>>>>>>was coded lets say in ASP using
8.0.1 that had used QueryString
>>>>>>>values that were passed into the
recodset for filtering/searching no
>>>>>>>longer worked. I also read that
8.0.2 "broke" a lot of extensions
>>>>>>>because of the fix.
>>>>>>>
>>>>>>> I am still using MX2004, but I'm
curious if the supposed problems
>>>>>>> that came up with 8.0.2 could be
totally avoided if a programmer
>>>>>>> used Stored Procedures?
>>>>>>>
>>>>>>> Hopefully that makes sense.
>>>>>>>
>>>>>>>
>>>>>>> "Paul Whitham
AdobeCommunityExpert" <[email protected]> wrote in
>>>>>>> message
news:[email protected]...
>>>>>>>> Most of the change that was
made to the recordset in 8.0.2 was to
>>>>>>>> eliminate SQL injections.
What specifically are you refering to as
>>>>>>>> an issue now
>>>>>>>>
>>>>>>>> --
>>>>>>>> Paul Whitham
>>>>>>>> Certified Dreamweaver MX2004
Professional
>>>>>>>> Adobe Community Expert -
Dreamweaver
>>>>>>>>
>>>>>>>> Valleybiz Internet Design
>>>>>>>> www.valleybiz.net
>>>>>>>>
>>>>>>>> "Brendon"
<[email protected]> wrote in message
>>>>>>>>
news:[email protected]...
>>>>>>>>> Those that are beta
testing it would know - if they were doing
>>>>>>>>> serverside/sql related.
It wouldn't be speculation at all - in
>>>>>>>>> fact it would be pretty
straight forward to test.
>>>>>>>>> I'd be very surprised if
they havn't fixed the issue - in fact I
>>>>>>>>> thought it was fixed in
the 8.0.2 update, but I could be wrong.
>>>>>>>>>
>>>>>>>>> Brendon
>>>>>>>>>
>>>>>>>>> "Deaf Web Designer"
<[email protected]> wrote in
>>>>>>>>> message
news:[email protected]...
>>>>>>>>>> DW CS3 is not here
as yet.
>>>>>>>>>>
>>>>>>>>>> Only time will tell
once you have DW CS3 installed on your
>>>>>>>>>> platform and find
>>>>>>>>>> out if that is the
case.
>>>>>>>>>>
>>>>>>>>>> At this point, it is
all speculation without knowing the fact of
>>>>>>>>>> the problem.
>>>>>>>>>> Try to be a bit more
patient until official release of product
>>>>>>>>>> sometime this
>>>>>>>>>> spring.
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

ADF and SQL-Injection?

Hi
As I understand there is no any protection!!! Do view parameters work as parameters in JDBC prepared statement? I looked at examples and it looks they are just replaced with string as parameter value to make new string !!!
Andrius

Andrius,
to my knowledge only prepared statements provide you some level of safety and even herte I would recommend caution. The recommended approach for SQL Injection is to filter it either in a Servlet filter (which may be hard to do, but there is a library called mod_security by Ian Ristic that is open source and can be configured for additional security). In addition you can add custom code to the BC code that sets the parameters for the parameterized query to check for SQL injection. This can be done with Regular Expressions:
As an example:
Pattern p = Pattern.compile("(?i)\\bcreate|insert|delete|drop|update\\b");
Matcher m = p.matcher(username);
if (m.find())
// reject the request
Note that the example doesn't check for all possible patterns
Depending on your front end, additional checks can be provided. If e.g. in teh future you build applications with JSF, you could create a RegEx Validator to filter SQL injections.
Oracle ADF V2 comes with a declarative validator on the data binding level that support Regular Expressions defined on the attribute level. This I think should provide you the level of security you will expect.
Frank

Report Builder 1.0 for SQL Server Reporting Services 2008 R2

We are trying to implement Ad-Hoc Reporting using SSRS 2008 R2.
First of all, it is very unhelpful that all SSRS books are for either 2008 or 2012, even though SSRS has major changes in 2008 R2 compared to 2008.
Our instructional materials indicate that we should build Report Models to abstract out our databases into terms familiar to our business users.
The problem we are having is the difference in functionality between Report Builder 1.0 and Report Builder 3.0. Report Builder 3.0 is touted as having the modern, ribbon based interface that is supposed to make end-users feel more comfortable. However,
all the documentation says that end users are supposed to use Report Builder 1.0 for Ad-Hoc Reporting. And, it seems, that the reports generated by Report Builder 1.0 are not round-trip compatible with all the other reporting tools for SSRS 2008 R2.
The documentation we have illustrates that Report Builder 1.0 is nice for Ad-Hoc reporting, because is based on connecting directly to Report Models, and the end users can directly drag-and-drop entities and fields into their reports.
When we try working with Report Builder 3.0, it seems we must first connect to the Report Model as a Data Source and then build a Dataset query on the Report Model. Only then are some entity attributes available to be dropped into the report.
If the user decides another source column is needed, they have to go back, edit the query, save the query, and then drag the column from the Dataset to the report. This does not seem end user friendly at all!
We are also concerned that if we train our users on the seemingly soon-to-be-obsolete Report Builder 1.0, and get them used to having direct Report Model access, that at some point we will have to move them to the Dataset-interrupted approach of Report Builder
2+. Highlighting this perception of impending obsolescence of Report Builder 1.0 is that in our shop that is starting with SSRS 2008 R2, we cannot figure out how to get a copy of Report Builder 1.0 in the first place.
We just don't see our end users being savvy enough to handle the steps involved with creating Datasets on top of Report Model Data Sources. So we would have to build the Datasets for them. But in that case, what point is there in creating any
Report Models in the first place if DBAs are the ones to make Datasets?
As such, it is hard to envision a forward-looking SSRS implementation that has the end user ease-of-use Ad-Hoc reporting that the SSRS 2008 documentation presents.
What is it that Microsoft actually wants/expects SSRS implementers to do?
Dan Jameson
Manager SQL Server DBA
CureSearch for Children's Cancer
http://www.CureSearch.org

Hi Dan,
Report Builder 1.0
Simple template-based reports
Requires report model
Supports only SQL Server, Oracle, and Analysis Services as data sources
Supports RDL 2005
Bundled in SSRS
Report Builder 2.0 or later
Full-featured reports as the BIDS Report Designer
Doesn't require (but supports) report models
Supports any data source
Supports RDL 2008
Available as a separate web download
In your scenario, you want to use Report Builder 1.0 in SQL Server Reporting Services 2008 R2, I am afraid this cannot achieve. Report Builder 1.0 is available in the box in either SQL 2005 or SQL 2008. It is not available as a separate client apps and is
only available as a click once application.
Report Builder 1.0
Report Builder 3.0
Thank you for your understanding.
Regards,
Charlie Liao
If you have any feedback on our support, please click
here.
Charlie Liao
TechNet Community Support

SQL Injection and variable substitutions

Hello helpful forum, I'm trying to understand what really goes on "behind" the scenes
with the variable substitutions in order to protect from sql injections.
I'm using apex 3.0.0.00.20
The trickiest component seems to be a Report of type "pl/sql returning sql", since
multiple dynamic sql interpretations are done there.
consider the following innocent looking disaster:
DECLARE
l_out VARCHAR2(2000);
BEGIN
l_out := 'select * from test_injection t where t.name like ''%' || :NAME || '%''';
RETURN l_out;
END;
if NAME is a single quote the report will return:
failed to parse SQL query: ORA-00911: invalid character
which hints to the fact that NAME is not escaped, and you are in fact able to access db functions
as in: '||lower('S')||'
I also tried to put there a function that runs in a autonomous transaction to log its calls, and
I see that it's called five times for each request.
consider now the similar solution (notice the two single quotes):
DECLARE
l_out VARCHAR2(2000);
BEGIN
l_out := 'select * from test_injection t where t.name like ''%'' || :NAME || ''%''';
RETURN l_out;
END;
with this second example nothing of the above is possible.
So my theory (please confirm it or refute it) is that there is a first variable substitution done
at the pl/sql level (and in the second case :NAME is just a string so nothing is substituted).
Then the dynamic sql is executed and it returns the following string:
select * from test_injection t where t.name like '%' || :NAME || '%'
now another substitution is done (at an "APEX" level) and then query is finally executed to return
the rows to the report.
The tricky point seems to be that the first substitution doesn't escape the variable (hence the error
with the single quote), while the second substitution does.
Please let me know if this makes sense and what are the proper guidelines to avoid sql injection with
the different kinds of reports and components (SQL, pl/sql returning sql, processes, ...)
Thanks

Giovanni,
You should build report regions like this using the second method so that all bind variables (colon followed by name) appear in the resultant varchar2 variable, l_out in your example, which will then be parsed as the report query. This addresses not only the SQL injection problem but the shared-pool friendliness problem.
Scott

SQL injection protection help

In trying to help another user, I was reminded of a problem I
face
often. Trying to create a DW recordset using an IN clause (I
think this
got broken in the 8.0.2 update and seems to still be broken
in CS3).
I create a string held in a variable like this:
$ids = (1,5,9,23,6)
My advanced recordset is this:
SELECT * FROM tbl WHERE id IN varIds
Then I set the variable parameters to type=text,
default=(-1), and
runtime to $ids.
The generated SQL doesn;t work because DW puts single quotes
around my
variable and the SQL query becomes invalid. DW creates this:
SELECT * FROM tbl WHERE id IN '(1,5,9,23,6)'
It should be:
SELECT * FROM tbl WHERE id IN (1,5,9,23,6)
So, I edited the SWITCH block at the top of the document to
include a
"custom" type, which is the same as the TEXT type but without
the single
quotes.
case "custom":
$theValue = ($theValue != "") ? $theValue : "NULL";
break;
Then in my SQL statement, I manually changed "text" to
"custom".
This work fine, but does that open me up to SQL injection or
other bad
stuff?
Alec Fehl, MCSE, A+, ACE, ACI
Adobe Community Expert
AUTHOR:
Microsoft Office 2007 PowerPoint: Comprehensive Course
(Labyrinth
Publications)
Welcome to Web Design and HTML (Labyrinth Publications)
CO-AUTHOR:
Microsoft Office 2007: Essentials (Labyrinth Publications)
Computer Concepts and Vista (Labyrinth Publications)
Mike Meyers' A+ Guide to Managing and Troubleshooting PCs
(McGraw-Hill)
Internet Systems and Applications (EMC Paradigm)

It looks like you're using PHP ... to protect from SQL
injections I always
do this:
$query = "SELECT * FROM tbl WHERE col='%s' AND col2 IN
(%d,%d)"
$query = sprintf($query,"val",34,23);
$result = mysql_query($query);
This method ensures that if a user puts "DELETE FROM tbl" in
an input
field, it will not cause any deletions, instead the words
'DELETE FROM tbl'
will be inserted. Check out sprintf in the PHP manual - good
stuff!
One thing to remember about SQL injection, the injected SQL
has to be
entered somehow by the end-user (usually with a form); I may
be wrong, but
this sql statement looks like it is contained entirely within
your scripts
(i.e. it isn't getting getting a user-generated value to
build any part of
the SQL statement). Again, I'm guessing here - but it looks
that way.
Alex
"Alec Fehl" <[email protected]> wrote in message
news:[email protected]...
> In trying to help another user, I was reminded of a
problem I face often.
> Trying to create a DW recordset using an IN clause (I
think this got
> broken in the 8.0.2 update and seems to still be broken
in CS3).
>
> I create a string held in a variable like this:
> $ids = (1,5,9,23,6)
>
> My advanced recordset is this:
>
> SELECT * FROM tbl WHERE id IN varIds
>
> Then I set the variable parameters to type=text,
default=(-1), and runtime
> to $ids.
>
> The generated SQL doesn;t work because DW puts single
quotes around my
> variable and the SQL query becomes invalid. DW creates
this:
>
> SELECT * FROM tbl WHERE id IN '(1,5,9,23,6)'
>
> It should be:
>
> SELECT * FROM tbl WHERE id IN (1,5,9,23,6)
>
> So, I edited the SWITCH block at the top of the document
to include a
> "custom" type, which is the same as the TEXT type but
without the single
> quotes.
> case "custom":
> $theValue = ($theValue != "") ? $theValue : "NULL";
> break;
> Then in my SQL statement, I manually changed "text" to
"custom".
>
> This work fine, but does that open me up to SQL
injection or other bad
> stuff?
>
>
> --
> Alec Fehl, MCSE, A+, ACE, ACI
> Adobe Community Expert
>
> AUTHOR:
> Microsoft Office 2007 PowerPoint: Comprehensive Course
(Labyrinth
> Publications)
> Welcome to Web Design and HTML (Labyrinth Publications)
>
> CO-AUTHOR:
> Microsoft Office 2007: Essentials (Labyrinth
Publications)
> Computer Concepts and Vista (Labyrinth Publications)
> Mike Meyers' A+ Guide to Managing and Troubleshooting
PCs (McGraw-Hill)
> Internet Systems and Applications (EMC Paradigm)

SQL Injection Ver 2

Hello
I've just installed HTMLDB ver 2 into a new install of 10.2.0.1.0 (taken off OTN)and wanted to have a look at generating reports mentioned in the documentation using SQL Injection. When I click on SQL Injection I get the following message:
"SQL Injection analysis is not supported with your current database release version. It is only available for Oracle release 10.2 or higher"
Do I need to switch something else on for HTMLDB to recognise the version of the database?
Any help greatly appreciated
Regards
Pync

Pync,
I'm afraid the message is a bit misleading. The packages required from Oracle (in addition to a 10.2 database) have not been distributed yet). See also our release notes on this topic:
http://download-west.oracle.com/docs/cd/B19306_01/relnotes.102/b16374/toc.htm#CCHJAGDJ
Sergio

SQL Injection analysis report does not work.

I have tried to run the SQL Injection report (Home|Utilities|Object Reports Security|QL Injection but it comes up with the following message.
"SQL Injection analysis is not supported with your current database version. It is only available for Oracle release 10.2 or higher."
I have tried this as both an ordinary user and as system, on both Windows XP and Linux

This is a bug in the XE Beta. The SQL Injection Analysis will not be accessible for XE production.
Joel

Sql Injection- Security

I have an urgent requirement that has to be implemented with regard to sql Injections.
My application went for security scanning process and found few security threats with regard to sql injection. we need your valuable support and guidelines to proceed further.
Project Details: Windows application, VS2008
Data Base: Sql Server 2008.
Listed out the issues type and its details elaborately:
Threat 1: During connection initialization
SqlConnection connection = new SqlConnection(connectionString);
At this line there is a chance of security threat. we are getting the connection string parameter from web.config as below
private static readonly string connectionString = ConfigurationManager.AppSettings["ConnectionString"];
Flaw Information
Type: Untrusted Initialization
Issue: External Control of System or Configuration Setting
Attack Vector: system_data_dll.System.Data.SqlClient.SqlConnection.!newinit_0_1
Function: int ExecuteNonQuery(string, System.Data.CommandType, string,
System.Data.SqlClient.SqlParameter[])
Threat 2 :
Type: SQL Injection
Issue: Improper Neutralization of Special Elements used in an SQL Command ('SQLInjection')
Attack Vector: system_data_dll.System.Data.IDbCommand.ExecuteNonQuery
Function: int FetchSPExecutedReturnValue(string, System.Collections.IDictionary)
Threat Line:
1. command.ExecuteNonQuery();
There are few more similar threats same as above. pointed out the threat line:
2. dataReader = command.ExecuteReader();
3. adapter.Fill(ds);
4. dataReader = cmd.ExecuteReader(CommandBehavior.CloseConnection);
I have doubt that the above lines of code are safe from sql injection ? if not how can an attacker attack .
One more thing like we are not at all passing any hard coded queries to DB. All the inputs are passed as a parameters.
I am not sure what kind of threat is there with this ( executeNonQuery(), Fill(dataset) and Connection initialization) and how to defend from malicious code/vulnerabilities.
Please help me out..... I will be waiting for your valuable support.
Thanks,
Purushotham. A

Thanks for your quick reply....
We are not passing the hard coded connection string value. We are getting it from Web.config.
SqlConnection connection = new SqlConnection(connectionString)
private static readonly string connectionString = ConfigurationManager.AppSettings["ConnectionString"];
when we pass on the connection string value as such is there any chance of threat from attackers.
Thanks,
purushotham.A

Dinamic Query SQL injection

I would like to do a dinamic query. I dont know the number of columns of the column and the table, and things like that. I�m worried about sql injection how can i avoid it.
For example,
select column1,column2,....
from tabla
where column1=columna2 and...
I know the format i must build it with Java.

PreparedStatement can avoid most of the standard SQL injection attacks. However, you should not allow a client to request arbitrary SQL statements to be executed unless you have some serious security in your network and are behind a very good firewall.
- Saish

SAP ABAP Secure Coding. Protection against SQL Injection

Dear community,
I've detected recently a problem with dynamic SQL queries. It seems to be security relevant. I'll be much appreciated, when you participate at my online survey to this topic at: http://de.surveymonkey.com/s/VC9CBVM It takes less than 1 min time. It is very important to understand, whether it is necessary to protect the coding against SQL injection? Or you can say from your expirience, that it isn't?
Thanks a lot!
Moderator Message: if you need a poll support from SCN, then there is an area http://scn.sap.com/poll-post!input.jspa?container=2015&containerType=14 to create such. Please use it and avoid external links.
Message was edited by: Kesavadas Thekkillath

Dear community,
I've detected recently a problem with dynamic SQL queries. It seems to be security relevant. I'll be much appreciated, when you participate at my online survey to this topic at: http://de.surveymonkey.com/s/VC9CBVM It takes less than 1 min time. It is very important to understand, whether it is necessary to protect the coding against SQL injection? Or you can say from your expirience, that it isn't?
Thanks a lot!
Moderator Message: if you need a poll support from SCN, then there is an area http://scn.sap.com/poll-post!input.jspa?container=2015&containerType=14 to create such. Please use it and avoid external links.
Message was edited by: Kesavadas Thekkillath

Does Report Builder 6i support Spatial Functions

Does Report Builder 6i support spatial functions? I would like to use the following query in a report:
SELECT id, rseq
FROM gps a, user_sdo_geom_metadata m
WHERE m.table_name = 'GPS'
and mdsys.sdo_lrs.is_geom_segment_defined (a.geom, m.diminfo) = 'FALSE' and a.id like '01%'
It does not recognize the spatial LRS function. This query does not return geometries but rather will only return tabular information.
Thanks
Dave

Hello,
Your colleague is right. Even if the SQL query is executed by the DB server , Reports needs to parse the SQL query.
The SQL parser included in Reports 6i is based on 8.0.6
You can see this version in the Reports Builder help :
Menu : Help -> About Reports Builder ...
ORACLE Server Release 8.0.6.0.0
Regards

Vulnerabilities reported in sharepoint 2010 from IBM App Scan - Blind SQL Injection

Hi - We have been reportecd the following vulnetabilities in sharepoint 2010 by IBM App scan tool. We have verified that all latest security patches are installed in the server. The sharepoint implementation is only out-of-the-box. We ahve installed the
product and created a site collection with windows authentication - without any customization. Can someone pls let us nkow what is the security patch that is required - or any other fix applicable?
Authentication Bypass Using SQL Injection
Blind SQL Injection
HTTP PUT Method Site Defacement

Hi,
Please understand we have no sufficient resource and information to analyze the result from third party tool. I searched on Internet and found a related article, please refer to the 9<sup>th</sup> tip. I’d suggest you contact their support engineer for more
professional assistance.
http://www-01.ibm.com/support/docview.wss?uid=swg21301935
In addition, here is an article for best practices in SharePoint 2013, there are also some tools recommended by Microsoft. For your reference:
http://social.technet.microsoft.com/wiki/contents/articles/12438.sharepoint-2013-best-practices.aspx
Regards,
Rebecca Tu
TechNet Community Support

Change Build Status From PL/SQL

Apex 3.2
Please see my previous thread
Change Build Status From PL/SQL
We tried this code
CREATE OR REPLACE procedure APEX_030200.pr_sup_unfreeze_apex
as
begin
for l_app in (select id
                      ,security_group_id
                from APEX_030200.wwv_flows
loop
    wwv_flow_api.set_security_group_id(l_app.security_group_id);
    wwv_flow_api.set_flow_status (p_flow_id     => l_app.id
                                 ,p_flow_status => 'AVAILABLE'
end loop;
commit;
exception when others then
dbms_output.put_line (sqlcode);
dbms_output.put_line (substr(sqlerrm,1,250));
dbms_output.put_line (substr(sqlerrm,250,250));
rollback;
raise;
end;but recieved error
BEGIN APEX_030200.pr_sup_freeze_apex; END;
Error at line 1
ORA-20001: Package variable g_security_group_id must be set.
ORA-06512: at "APEX_030200.PR_SUP_FREEZE_APEX", line 51
ORA-06512: at line 1
Any ideas ?
If I just run
select id,security_group_id
from APEX_030200.wwv_flows
ID SECURITY_GROUP_ID
4000 10
4050 10
4155 10
4300 10
4350 10
4400 10
4411 10
4500 10
4550 10
4700 10
125 1.07701203277056E15
1000 1.08971536719791E15
1010 1.08971536719791E15
114 1.41432144152464E15
123 1.43440509319107E15
160 2.25192481868561E15
190 2.41432896355852E15
100 3.93632559648557E15
103 3.93632559648557E15
130 5.9543257997941E15
140 5.95501879180405E15
Edited by: Gus C on Nov 8, 2012 5:43 AM
Edited by: Gus C on Nov 8, 2012 5:50 AM

Hi Gus,
as Rod already mentioned, wwv_flow_api.set_flow_status would be the way to go. It's no officially documented or supported API but it will do what you want. Just be prepared that it might be removed in the future. The API is defined as following:
procedure set_flow_status (
    p_flow_id                   in number,
    p_flow_status               in varchar2,
    p_flow_status_message       in varchar2 default null,
    p_restrict_to_user_list     in varchar2 default null )Example code to make all applications unavailable (has to be executed as APEX_040200).
begin
    for l_app in ( select id,
                          security_group_id
                     from wwv_flows )
    loop
        wwv_flow_api.set_security_group_id(l_app.security_group_id);
        wwv_flow_api.set_flow_status (
            p_flow_id     => l_app.id,
            p_flow_status => 'UNAVAILABLE' );
    end loop;
    commit;
end;Regards
Patrick
My Blog: http://www.inside-oracle-apex.com
APEX Plug-Ins: http://apex.oracle.com/plugins
Twitter: http://www.twitter.com/patrickwolf

Is ADDT build to support anti sql injection

Similar Messages

Maybe you are looking for