Mitigating SQL injection when forced to use substitution variables

Similar Messages

• Using Substitution Variable in Web forms

  Hi,
  I'm trying to use substitution variable in a planning web form &CurYr in the Column, after creating the form when I save it and try to open the form it says the substitution variable required for this calculation is undefined .Variable : &CurYr.It should be defined as I'm able to see it and select it for the column/row. Any kind of help is appreciated.
  Thanks
  Vinil

  You usually get this error message if you are trying to assign a value from a sub var to a member that does not exist.
  e.g. trying to put FY08 which is a year member against a period dimension
  or trying to use a sub var of FY09 which does not yet exist in the essbase, so say you added a new year in planning FY09 and used the sub var in the form but have not refreshed the database then it would fail because the year would not have been pushed down to essbase yet.
  or the value of the subvar does not match a member name exactly
  or using a sub var name that does not exist in essbase, e.g. using &nextYear but the sub var has not been created in essbase.
  You can definitely use subsitution variables in columns in the version you are using and prior version.
  Cheers
  John
  http://john-goodwin.blogspot.com/

• How can i use substitution variable

  Hai All
  This is my sql statement
  SELECT (TO_DATE(TO_CHAR(Intime,'DD-MON-YYYY')||' '||
  TO_CHAR(0815,'0000'),'DD-MON-YYYY HH24:MI')-intime) * 24*60
  from dail_att where to_char(intime,'hh24mi') between 0700 and 0815 ;
  Here my table name called Dailyattendance
  Intime field is declared as Date Type
  So now i have hardcoded 0815 and now my intime is subtracted from this time so i can calculate the employee
  coming late so how can i use substitution variable here to give the value at run time
  Ie i need to give 0815 instead or any other time at runtime
  Thanks In advance
  Srikkanth.M

  Where exactly are you planing to use it? Is sqlplus or at any other front end?
  One way is to use below given SQL
  SELECT   (  TO_DATE (   TO_CHAR (intime, 'DD-MON-YYYY')
                       || ' '
                       || TO_CHAR (:TIME_VAR, '0000'),
                       'DD-MON-YYYY HH24:MI'
            - intime
         * 24
         * 60
    FROM dail_att
  WHERE TO_CHAR (intime, 'hh24mi') BETWEEN 0700 AND 0815;*009*
  Edited by: 009 on Apr 6, 2010 2:15 AM

• Can we use Substitution variables in MAXL?

  Hi,
  Can we use substitution variables in MAXL script?
  I have to run this MAXL command for clearing a slice of ASO cube on V11.1.1.3.
  alter database Apname.DBname clear data in region 'CrossJoin({[2009]},{[Dec]})';
  I am planning to use Current_year & Current_month variables instead of hardcoding 2009 & Dec as I have to use this everymonth to clear the current months data.
  If it is allowed, what is the syntax?
  Is there any alternative apart from substitution variables?
  Appreciate your thoughts.
  Thanks,
  -Ethan.

  You would just use ampersand and the variable name instead of the hard coding e.g. &yearVar &periodVar.
  Not tried it on aso clears but in theory it should work as ...'CrossJoin({&yearVar},{&periodVar})';
  just change yearVar and periodVar for your substitution variable names.
  Cheers
  John
  http://john-goodwin.blogspot.com/

• Conditional suppression using substitution variable in Hyperion financial r

  Hi all,
  Is there a way that I can suppress a column using substitution variable in hyperion financial reporting?
  For eg, i want to suppress the column if the value of the substitution variable curr_mnth = jun.
  Is there a way to do this? In conditional suprression dialog box, I dont find this option.
  Please suggest.
  Your response is appreciated.
  Thanks,
  Sirisha.

  Hi Sirisha
  In my earlier reply I think I may have mislead you as I thought that you could set the member name equal to that in a row/column and I've managed to get into a HFR studio session this morning and realised that the conditional suppression only allows you to suppress where member name = 'XXX' (specific text) so that doesn;t meet your requirement.
  Different people will have different ways of achieving what you want and everyones requirements are different. If it helps my preferred way of conditionally suppressing periodic data (for Planning/Essbase) is to add a dynamic calc account member called 'TP-Index' into the database, set up a formula so that each period returns a numeric value from 1 to 12 to match the fiscal/calendar year as required.
  Then in reporting bring the account and period dimensions into rows/columns so that you are able to retrieve data for the TP-Index account and the period as defined in your substitution variable. You can then choose how the suppression works based on a numeric value, commonly you may want to suppress if greater than, e.g. you have a multi-period report where your actual data is to June so you want to suppress everything from July onwards.
  I'm sure that a similar thing could be achieved in HFM as well if that is your underlying system instead of Essbase.
  Does that help?
  Stuart

• How to use substitution variables in Microsoft Word using Hyperion Smart view

  Can we use Substitution Variables in copy data points and refresh in Microsoft Word? I tried it and it does not work dynamically (copy data points only copies what was in excel cell at that point). It only copies the static value of that variable from that cell. I want to use it dynamically in Word so that if I change the value of that variable in Essbase, it is updated in Word upon refresh. Any idea??
  We need this feature for reporting in microsoft word and keep using the data points every year (instead of copying the cells from excel over again)
  Any help/suggestion is appreciated.
  Thanks

  you can't use substitution variables with copy data points. I had tried a while ago (post 111.1.2.1.102) and it wouldn't work.  I checked with Oracle development and they said it I not available

• When should I use static variable and when should not? Java essential

  When should I use static variable and when should not? Java essential

  Static => same value for all instances of the class.
  Non-static => each instance can have its own value.
  Which you need in which circumstances is completely up to you.

• SQL Injection when using Search by Example on a View Object

  It seems that the SQL queries generated by "Search by Example" pattern (When you drop a view object as a Search Form) are not using bind parameters, and will be vulnerable to SQL injection attacks. This pattern is very handy and could be very useful to create search pages. Is there a way to avoid SQL Injection and still use this feature in ADF?
  Chandresh

  Hi,
  from a training slide developed by Duncan Mills:
  When the user is in Find mode and enters some information, he or she is constructing a ViewCriteria row. Each attribute in the View object exists in this row and any values that the user enters into the fields are mapped into these attributes.
  In most circumstances, you will only ever have one criteria row, although the developer can allow multiple rows if the Create operation is called during Find mode.
  To parse the entered query values, you need to look at each row, and then at each attribute. Calling getAttribute() returns the value the user entered (if any) for that field. You can then pass that string to a filter routine (shown in the next slide), which inspects this value for errors.
  The filter routine can then change the example value if required and reset the criteria.
  import java.util.regex.Matcher;
  import java.util.regex.Pattern;
  protected String detectInjection(String criteria) {
    boolean reject = false;
    String testPattern =       "^(>=|<=|=<|=>|<|>|<>|!=|=|BETWEEN|IN|LIKE|IS)";
    String testCriteria = criteria.trim().toUpperCase();
      if (testCriteria != null && testCriteria.length() > 0) {
        Pattern pattern = Pattern.compile(testPattern);
        Matcher matcher = pattern.matcher(testCriteria);
        if (matcher.find())
          reject = true;
      return reject?null:criteria;
    }Frank

• Using substitution variable in sql -- Issue

  Hello All
  I am trying to do a sql operation from command prompt of my system and that sql requires substitution variable which i am passing it but when i pass the variable ( there are two) the first one assign as " \c" and second gets both what i am passing.
  I am not sure what exactly happening here, i have done this on AIX but here its not working any ideas?
  System : uname -a
  Linux ## 2.6.18-128.1.1.el5 #1 SMP Mon Jan 26 13:58:24 EST 2009 x86_64 x86_64 x86_64 GNU/Linux

  AIX and Linux are not the same. An output of "\c" may indicate a compatibility issue of your shell script with your current command line interpreter (shell). A \c can be used to suppress a newline with the echo command. Bash understands both formats echo -n and echo \c, but other shells like Ksh don't. Try to run your script under a Bash, which is the default under Linux. If the problem persists you will need to post your script for any further analysis.

• How do I stop Firefox from thinking it crashed and doing a recovery when forced to use Windows Task manager to close a bad URL that I never want to go back to?

  Long question, I know :~) There are web sites that I may visit that will not allow me to exit the site, so I use Alt-Ctrl-Del in Windows to start the Task Manager and force the site to close by ending the program. The new version of Firefox (31.0) thinks that Firefox crashed and send me right back to the source of my problem.
  Your documentation for this process is as follows:
  After a crash
  Due to unexpected issues such as problems with a website, software errors, or an accidental loss of power, Firefox may unexpectedly close. In these situations, Firefox can restore the pages that you were visiting when it is restarted. Firefox will automatically restore your previous session, the first time you launch it after a crash.
  If Firefox crashes a second time, the Restore Session (i.e. "Well, this is embarrassing") page will appear when you next launch Firefox.
  ...and this is what I found trying to stop this process. Next, when I am forced to use Task Manager to close Firefox a second time to stop a badware site, then the 'Well this is embarrassing' dialog appears and I am finally safely away from the URL.
  I do not want Firefox automatically sending me back to a problem site.
  Thank you for any procedure you can suggest to stop Firefox from restoring problem web pages, Art Clapton

  I am unwilling to attempt navigation away from these sites. The pop-ups that occur on the attempt to leave a site or to close the browser are exit traps offering incentive to stay.
  Once upon a time, when the internet was less dangerous, I would be willing to close the exit pop-ups. Now, after twice being infected with malware trying to close the pop-ups, I now force close whichever browser I am using.
  Recently, I clicked on the red X to close one pop-up, and it installed a trojan that I had to pay to be removed. When I clicked on 'Leave' in another exit pop, it didn't exit and it turned out I was giving permission to run a script file. Now that criminals have learned these exit pop-ups can be used to force a click action, the sites using them have become dangerous.
  If I force the browser to close using Task manager, Please tell me how to stop FireFox from sending me directly back to the same site because it mistakenly believes it crashed when it did not. I forced it to close because I was on a site that had taken control of my browser and was not allowing me to leave the site.
  No other browser sends me back to the potentially dangerous sites. I prefer Firefox, but the new version must have a setting that allows me to get safely away from a problem site?

• How to use substitution variable in sql

  Hai All
  I have two tables Rgpmain and Rgpitem the fields are
  Rgpmain
  unitid,periodid, docno, vendcode ,vendname, part_taken_by and .....
  Rgpitem
  unitid, periodid, docno, partno, partname .... And i need to give some values in runtime using sub variable
  i need to to four values in sub function and i will give one value and i need the result of one variable
  The qurey will like this
  Select * from rgpmain m, rgpitem i where unitid=1 and periodid=14 and m.unitid=i. unitid and m.periodid= i.periodid and m.docno = i.docno and vendcode ='&p_vendcode'
  Or
  m.unitid=i. unitid and m.periodid= i.periodid and m.docno = i.docno and vendname like '&p_vendname%'
  Or
  m.unitid=i. unitid and m.periodid= i.periodid and m.docno = i.docno and partname like '&p_partname%'
  or
  m.unitid=i. unitid and m.periodid= i.periodid and m.docno = i.docno and partno ='&p_partno'
  This is my query
  And while i am executing there are four options showing to enter..
  My need is i need enter only one field Ie vendcode and execute the vendcode like ABC01 then i need the only
  the result that belong to vendcode ABC01 but my query giving all the rows
  Pls tell me what is wrong with my query
  Thanks In Advance
  Srikkanth.M

  Hai
  Thanks Man i under stood that nv2 if 1 col is null then it will return 2 col or els 1 col but i working with large
  database and i need four or five column using sub. Pls tell whats went wrong with my query when i am executing
  one by one at the first time its works fine but next time it returns 1000 rows. pls tell me how to use four or five columns
  Regards
  srikkanth.M

• How to use substitution variable in case of dim build

  Hi all,
  Lets say I have 3 sub vars - Prevmonth, prevmonth-1, prevmonth-2. These will change every quarter.
  I want to build a cube which will have which will have only the above 3 months in the Fiscal dimension. This will be used once at the end of quarter.
  How do I refer substitution variables in case of dim build rule files? I want automate the process. We have SQL dim build for other dims, only this dim can be built from flat file also.
  Or is there any other way to achieve this apart from using sub vars? I can try store the 3 variables in a table and then use them to build the cube, but want to see if we can avoid creating one more interface.
  Thanks.

  Actually using the values of subvars to build a dimension (which I believe is what you want) is a fun problem.  Here's an (Oracle) example that would do that, without requiring any additional table or flat file:
      SELECT 'FiscalPeriod' AS Parent,
             CASE Level
                WHEN 1 THEN '&CurrMonth'
                WHEN 2 THEN '&PrevMonth'
                WHEN 3 THEN '&PrevMonthMinusOne'
             END AS Child
        FROM Dual
  CONNECT BY Level <= 3
  Here's how it looks in the load rule SQL dialog, and the data prep editor:
  It's fun because I've never thought about it before, but I don't actually recommend this - if you have other ETL going on in SQL I'd generate the values in a table / view there, and have a script that both updates the subvars and builds the dimension direct from that.

• Problems using substitution variable in Web Analysis

  Dear all,
  I have a Web Analysis report that I need to show a raking table with the current month.
  For that I create a variable in Essbase that is updated with that date (E.g.: varCurrentMonth).
  After that I use it as my substitution variable to filter my date dimension in a report data source (E.g.: Scr5, row: product, column: date dimension & measure):
  2008 (current month)
  Product $ qty.
  AAA 100 10
  BBB 90 7
  CCC 80 5
  The problem is that in our cube we need to use an alias in every dimension not to have duplicate members (E.g.: DT.Date, MS.Measure, PD.Product, etc). And when we use it we need to set up the variable in Essbase using that alias (E.g.: DT.Feb/05/08). And if we use that variable as a substitution variable in the report data source the label displayed is the DT.2008 and not 2008 as expected.
  Does anybody have an idea how to solve that?
  Many thanks,
  Thiago Gabriel

  You usually get this error message if you are trying to assign a value from a sub var to a member that does not exist.
  e.g. trying to put FY08 which is a year member against a period dimension
  or trying to use a sub var of FY09 which does not yet exist in the essbase, so say you added a new year in planning FY09 and used the sub var in the form but have not refreshed the database then it would fail because the year would not have been pushed down to essbase yet.
  or the value of the subvar does not match a member name exactly
  or using a sub var name that does not exist in essbase, e.g. using &nextYear but the sub var has not been created in essbase.
  You can definitely use subsitution variables in columns in the version you are using and prior version.
  Cheers
  John
  http://john-goodwin.blogspot.com/

• Financial Reporting (FR) using Substitution Variables with Quotes

  HI all,
  I've created a substitution variable, &CurWk, for a Period Dimension member. The member name, Dec Wk2, has an embedded space, so I enclose the member name in quotes when assigning it to the substitution variable in EAS. However, when I try to use that substitution variable in Financial Reporting, it does not recognize the Substitution variable. I've closed down and re-opened the FR Studio. If I remove the quotes around the member name when assigning it to the Substitution Variable, then FR will recognize the substitution variable. However, I get an error in the calc scripts if I try to reference the substitution variable if this member name is not enclosed in quotes. In my mind, this seems to be a bug in FR since quotes can be optional when referencing any member name. Has anyone else had this problem? Is there a work-around? I'm using EPM 11.1.1. Thanks for your help!
  Vince Kelly

  Hi Vince,
  For the Calc scripts add & to the front of the sub var and surround the sub var with [ ], for example:
  where sub vars are ReptQTR, ReptYR, ReptScenario:
  CASE
  When (Is(QTR.Currentmember,&#91;&REPTQTR&#93;) and (IS(FY.Currentmember,&#91;&REPTYR&#93;))) then
       CASE
       When ((ISUDA(L000.CurrentMember,"NC"))) then
            CASE
            WHEN (ISUDA(L000.CurrentMember,"Expense")) THEN
            ((&#91;&REPTPYR&#93;,&#91;ACT&#93;) - &#91;&REPTSCENARIO&#93;)
            ELSE
            (&#91;&REPTSCENARIO&#93; - (&#91;&REPTPYR&#93;,&#91;ACT&#93;))
            END
       END
  END
  Edited to fix stupid html codes: Iain Curtain on Feb 1, 2010 5:44 PM

• Using substitution variables in a BS rule

  Hi there
  Im trying to use a substitution variable when selecting the current month. Se example below.
  I loading af YTD number on a member "YTD" and I would like to break the numbers down, so that I also can see the values as pr. month.
  I would like to use the substitution varible "currmth" to do this, so that it only calculates the current month. I know I could use a UDA for this, but shouldn't this work?
  ELSEIF (@ISMBR (&CurrMth) == "Aug")
  ("YTD" - ("jan" + "feb" + "mar" + "apr" + "may" + "jun" + "jul"));
  ELSEIF (@ISMBR (&CurrMth) == "Sep")
  ("YTD" - ("jan" + "feb" + "mar" + "apr" + "may" + "jun" + "jul" + "aug"));
  ELSEIF (@ISMBR ("Oct"))
  If you look at "sep" that is how I would like it to function, but I cant. It simple doesent calculate anything for the member. But if I use "Oct" and not the substitution variable "currmth" I get my member calculated.
  Is there something here im missing, or doesn't it work like this? Any help would be appreciated!
  Jacob

  Jacob,
  You don't need the @IsMbr when comparing the value of the substitution variable.
  ELSEIF (&CurrMth == "Aug")
  ("YTD" - ("jan" + "feb" + "mar" + "apr" + "may" + "jun" + "jul"));
  ELSEIF (&CurrMth == "Sep")
  ("YTD" - ("jan" + "feb" + "mar" + "apr" + "may" + "jun" + "jul" + "aug"));
  ELSEIF (@ISMBR ("Oct"))
  Robert
  Edited by: RobertR3 on Dec 4, 2009 9:45 AM