Security issues to consider with download links

Hello,
I'm following the "How to Upload and Download Files in an Application" section of the Advanced Tutorial for APEX. I would like to integrate the security portion mentioned at the end ,however, i'm not sure how to integrate it into the download_my_file procedure. I have tried to include a block of code into the procedure so that it runs first but I get errors.
Here is the Procedure code:
create or replace PROCEDURE download_my_file(p_file in number) AS
v_mime VARCHAR2(48);
v_length NUMBER;
v_file_name VARCHAR2(2000);
Lob_loc BLOB;
BEGIN
SELECT MIME_TYPE, BLOB_CONTENT, name,DBMS_LOB.GETLENGTH(blob_content)
INTO v_mime,lob_loc,v_file_name,v_length
FROM file_subjects
WHERE id = p_file;
owa_util.mime_header( nvl(v_mime,'application/octet'), FALSE );
htp.p('Content-length: ' || v_length);
htp.p('Content-Disposition: attachment; filename="'||replace(replace(substr(v_file_name,instr
(v_file_name,'/')+1),chr(10),null),chr(13),null)|| '"');
owa_util.http_header_close;
wpg_docload.download_file( Lob_loc );
end download_my_file;
Here is the "Security" code:
APEX_APPLICATION.G_FLOW_ID := 100;
IF NOT wwv_flow_custom_auth_std.is_session_valid then
htp.p('Unauthorized access - file will not be retrieved.');
RETURN;
END IF;
I have tried to put the security code in a block in front the the "download_my_file" procedure but it did not work for me. I need to know how to integrate the two so that it works. I would greatly appreciate the help.
Thanks
LEH

Hi,
Have you tried something like:
create or replace PROCEDURE download_my_file(p_file in number) AS
v_mime VARCHAR2(48);
v_length NUMBER;
v_file_name VARCHAR2(2000);
Lob_loc BLOB;
BEGIN
APEX_APPLICATION.G_FLOW_ID := 100;
IF wwv_flow_custom_auth_std.is_session_valid then
  SELECT MIME_TYPE, BLOB_CONTENT, name,DBMS_LOB.GETLENGTH(blob_content)
  INTO v_mime,lob_loc,v_file_name,v_length
  FROM file_subjects
  WHERE id = p_file;
  owa_util.mime_header( nvl(v_mime,'application/octet'), FALSE );
  htp.p('Content-length: ' || v_length);
  htp.p('Content-Disposition: attachment; filename="'||replace(replace(substr(v_file_name,instr
  (v_file_name,'/')+1),chr(10),null),chr(13),null)|| '"');
  owa_util.http_header_close;
  wpg_docload.download_file( Lob_loc );
ELSE
  htp.p('Unauthorized access - file will not be retrieved.');
END IF;
end download_my_file;Andy

Similar Messages

  • Problem with download link for a BLOB Column in a "Classic report"

    I am having a problem where I cannot make a download link for a blob column function in a "classic" (non-interactive) report. I went through the tutorial on this topic and it was great help it working out the minor bugs, but I get a 404 error (apex_util.get_BLOB not found). For testing purposes I went ahead and created a an identical report on the same page that is an "Interactive report" and it works like a charm. Same query, same BLOB formatting Mask, pulling data from the same table. So, it really doesn't seem like an issue with the grants, since both reports should be executing as the same user.
    I know it sounds like the obvious answer is to just go with the interactive report and my problem is solved, but the rest of this site uses classic reports, and I don't need the sort features of an interactive report, and the slightly different style of the the report really stands out even if I turn off all the bells and whistles. I don't want to change the css to make them look identical, I just want a regular report to work.

    I eventually found another post: APEX_UTIL.GET_BLOB was not found on this server
    In this post there is the suggestion of putting "dbms_lob.getlength("var")" after the date field in your select. So I changed my query to have it at the end, and now my format mask (DOWNLOAD:table_name:ATTACHED_FILE:FILE_ID::FILE_MIME_TYPE:FILE_NAME:::attachment:Download) works like a charm, in a classic report.

  • I made a clickable image with download link on my FACEBOOK page, but its not working on Mozilla Firefox, while its working on other browser.. pls help!!

    im using Firefox 23.0.. i just used a simple HTML code on the download link.. but its not working on FIrefox..

    In what way is this button not working?
    Can you post the code that you use for this download button?
    Do you get this link if you right-click and choose "Inspect Element" to open the built-in inspector?
    *https://developer.mozilla.org/en/Tools/Page_Inspector

  • Problem with download link in Oracle 9i Lite page?

    Hello,
    I get a cannot find server/The page cannot be displayed error when attempting to download 9i Lite for Windows.
    http://download.oracle.com/otn/nt/oraclelite/olite502_win.zip
    Is this a known issue? Can anyone else get to it?
    Thanks.
    Julian

    Julia,
    I am unable to download using that link and I have reported it to the OTN people.
    If you continue to have a problem, please send me an address and I will ship you a CD.
    TNX,
    Phil

  • Security issue I find with Verizon Internet Suite???

    I have strange behavior within my connection to Verizon router, internet suite and windows XP that I cannot seem to get help with. I have inquired many times as to why the security suite utilizes "ports" which are regularly exploited by hackers in order to gain access to network computers attached to Internet. Here's the problem as I see it
    ...I have regular hits on port 1900 plus similar packets dropped at port 5000 from what I could only surmise was the suite itself ...there is also similar connection of which I cannot interrogate nor investigate as it does not allow. Why would a Internet or network suite utilize known unsecured ports that can easily be exploited. I use no messaging service (messenger, etc,.), no games (not even MS games added as default in XP), no extraneous add-ons at all. I use "nothing but NET" ...lol ...on this machine ...with exception of such times when adobe or media player is needed, and  I've disabled the updating for these 2 programs. This is basically an internet browsing computer. I won't go into the topology behind it because its really unimportant to this issue.
    The Actiontec router, itself, of course has allocated all sorts of port openings for such services as I listed above. Which ones are really needed and how do I disable or make adjustments to it so that my port 1900 is stealthiest to the internet. My goal is to become as invisable as possible on the internet, I wish to STEALTH this port, for the same reason I wouldn't leave my house key in my front or back door so that just anybody wandering by might notice thus they cannot have access into my house without my permission.
    I have achieved some steathiness but there's their seems to be a big hole and Internet suite has nothing in it to disable it or stealthy way to utilize it. I seem to have similar problems with being "Ping" requests. I have half of that job done but I cannot achieve a full stealth mode, as I can be pinged but with no response. According to networking resources this makes me vulnerable for any hacker who has the patience to wait for an opening of any exposed ports. I feel no need to have ports open that are not needed, can anybody help me?  Now I'm no netwoking engineer so "ports" meant very little to me until now however I would like to learn ...SMNP, ALG , yada, yada means is "GREEK" to me. ANSWERS with open the port or close the port scenerios ...please ... in layman's terms would be nice too. 65565 is a lot of ports to go through so strings of ports are useful too.

    1. If you have plug and play enabled, software can open ports on the router.
    2. What do you mean by Internet Suite? Do you have Verizon's software installed?
    3. Do you have TV service? If so there are ports that are required to be open so the Web can talk to the STB.
    4. Disabling ping or changing settings on the router can hinder troubleshooting if you were to call for support.
    5. There are 3rd party software firewalls that can be run on XP or software that can control the firewall in Vista.
    6. If you are really concerned about security you could place another router on the LAN port of the Actiontec and put all your PC hardware on the new routers lan. This would put all hardware on the Actiontec and your PCs on different networks. (Double NAT) So even if the internet could get through your first router it would be unlikely they would get through the second.
    7. You could adjust the firewall settings on the Actiontec to lock down some of the ports and or ("Stealth the ports")
    GRC among other websites can scan your system for open ports. http://www.grc.com/default.htm go to the ShieldsUp page.
    Even if your ports can not be seen, or are stealth, there are scanners and viruses on the Internet that can blindy hit ports that are not even indicated as being there. Your firewall logs will show these packets as dropped.

  • Hidden Classic Report - With Download Links

    Hi All,
    I have a requirement.
    I am displaying certain user information through a form i.e with all the fields in the form as READ ONLY / DISLAY ONLY.
    I need a XLS/PDF download button allowing users to click and download the particular details on the page.
    I tried creating a CLASSIC REPORT.
    Made the template as "NO TEMPLATE"
    Gave "&nbsp" values to the headers
    and hide the columns.
    Although it is understood that if i hide/do not show the fields in the report, then the XLS report will be blank.
    Is there any other way of doing it ?
    Thank you,
    Srikumar S

    Hi,
    I tried the way you did it there.
    I am getting the following type of report:
    PAGE_ID     REGION_NAME     REGION_CSV_EXPORT_LINK
    16     Session Participants     f?p=103:16:11124720394425:FLOW_EXCEL_OUTPUT_R66413769667879139003_en
    16     Session Trainers     f?p=103:16:11124720394425:FLOW_EXCEL_OUTPUT_R66413836384202172172_en
    80     sfdsf     f?p=103:80:11124720394425:FLOW_EXCEL_OUTPUT_R3094310823067880_en
    The REGION_CSV_EXPORT_LINK is not enabled:
    I tried making it as a "Standard Report Column", but that didnt work.
    Can you tell me what am i missing.
    Thank you once again.
    Srikumar S

  • Onclick gives issues in IE with comman link and works in alternate clicks

    We need the working of the onclick to be persistent here.
    But it is not.
    <h:column id="column11">
    <f:facet name="header">
    <h:outputText value="" id="readingCol"></h:outputText>
    </f:facet>
    <h:commandLink id="readingLink" onmousedown="return func_2(this, event);" action="#{pc_MeterSelect.doReadingLinkAction}" >
    <h:outputText id="text48"
    value="#{msgs.lnk_reading}"></h:outputText>
    <f:param name="meterID" value="#{varmeterRecords.meterID}" />
    </h:commandLink>
    </h:column>
         function func_2(thisObj, thisEvent) {
    //use 'thisObj' to refer directly to this component instead of keyword 'this'
    //use 'thisEvent' to refer to the event generated instead of keyword 'event'
    thisObj.onclick();
    }

    Can you explain better what is the problem?

  • How to display download link with get_blob or get_blob_file_src ?

    Hello there,
    I am struggling to display a download link in a SQL query report.
    Based on the requirement, I have to create a sql query report that the source contains a series of union select query.
    Example here
    WITH current_engagement AS (
    SELECT defendant_id, engagement_id, pn, ethnicity, date_joined_aodt_court, case_manager_name
    , participation_conditions, discharge_conditions
    FROM engagement
    WHERE defendant_id = :PXX_DEF
    AND date_joined IS NOT NULL
    AND ( date_terminated IS NULL OR to_date(date_joined,'DD/MM/YYYY') > to_date(sysdate,'DD/MM/YYYY'))
    AND active = 1 AND ROWNUM = 1
    ORDER BY defendant_id DESC
    SELECT def.first_name, def.middle_name, def.surname, to_char(def.pn) AS "PN", to_char(def.nhi_number) AS "NHI"
    ,ce.ethnicity, to_char(ce.date_joined) as "DATE_JOINED ", ce.case_manager_name, ce.participation_conditions, ce.discharge_conditions
    FROM defendant def INNER JOIN current_engagement ce
    ON def.def_id = ce.defendant_id
    UNION ALL
    select ' <b>2. Phase Number</b>' , '<b>Date Started</b>' , '<b>Date Finised</b>' , '<b>Notes</b>' , null
    ,null , null , null , null , null
    from dual
    UNION ALL
    SELECT TO_CHAR(NVL(ph.phase_number,'No Phase Found')), TO_CHAR(ph.date_started, 'DD/MM/YYYY'), TO_CHAR(ph.date_finished, 'DD/MM/YYYY'), ph.notes, null
    , null , null , null , null , null
    FROM phase_membership ph INNER JOIN current_engagement ce
    ON ph.mpm_eng_id = ce.engagement_id
    WHERE to_date(ph.date_started,'DD/MM/YYYY') <= TO_DATE(sysdate,'DD/MM/YYYY')
    AND ( ph.date_finished IS NULL
    OR TO_DATE(ph.date_finished, 'DD/MM/YYYY') >= TO_DATE(sysdate,'DD/MM/YYYY') )
    AND ph.active = 1
    UNION ALL
    --more selects
    -- then the last select is to list all related documents with download links
    select '<b>6. Document Date</b>' , '<b>Document Type</b>' , '<b>Description</b>' , '<b>Download</b>'
    , null ,null , null , null , null , null
    from dual
    UNION ALL
    SELECT TO_CHAR(doc.date_received), doc.document_type, doc.comments, TO_CHAR(dbms_lob.getlength(doc.UPLOADED_FILE))
    , null ,null , null , null , null , null
    FROM document doc INNER JOIN current_engagement ce
    ON doc.d_eng_id = ce.engagement_id
    WHERE doc.active = 1
    This report is generated fine.
    But the requirement also ask to display a download link. And because it is union selects, all following selects must be the same as the first select column data types.
    In this case, it has to be CHAR. Otherwise, it will generate error as below
    ORA-01790: expression must have same datatype as corresponding expression
    So I follow the GET_BLOB_FILE_SRC Function step from
    http://docs.oracle.com/cd/E14373_01/apirefs.32/e13369/apex_util.htm#AEAPI129
    I turn my last select into
    SELECT TO_CHAR(doc.date_received), doc.document_type, doc.comments,
    CASE WHEN NVL(dbms_lob.getlength(doc.UPLOADED_FILE),0) = 0
    THEN NULL
    ELSE
    'Download'
    END
    , null ,null , null , null , null , null
    FROM document doc INNER JOIN current_engagement ce
    ON doc.d_eng_id = ce.engagement_id
    WHERE doc.active = 1
    Which the result inside the hreg is
    http://app_address_here/f?p=208:48:1303335952329758:::::
    while if I use Interactive report the link is
    http://app_address_here/apex_util.get_blob?s=1303335952329758&a=208&c=66645817090447568&p=48&k1=12&k2=&ck=A18D20D407435BD649EA3399EC27BC00&rt=CR
    and it works well.
    I do a research and know that get_blob_file_source link to the source of the column / field name located in the first parameter.
    So I had put the UPLOADED_FILE column, DOCUMENT table in the source of the column PN.
    But it still does not show anything that close to the correct one that is generated by interactive report.
    If anyone has any ideas, please help. If I need to manually write using get_blob , please give me an example.
    I urgently need to do this report.
    The version of APEX we use is Application Express 4.0.2.00.07
    And I cannot ask for an upgrade to 4.2 till the end of next year.
    Please help.
    Thanks a lot in advance.
    Ann.

    Hi Ann,
    Here you can see and download the example :
    http://apex.oracle.com/pls/apex/f?p=63066:1
    Please let me know if you need access the work space.
    Hint, Please read the FAQ section. had you put your thread in a better format, you would have gotten a quicker response :)
    Regards,
    Fateh

  • Lion ordered via telephone - why does it take 1 week to get an email with the link to the online shop? Is Apple sending out emails by post?

    Telphone order of OS X Lion - Delivery: email with download link - So, why would that take 1 week to be delivered??? I remember times when Data connection was so slow that it would actually take 1 week to send today's sizes of email - but that was 25 years ago...
    Lieferung 1
    Versandfertig: 1 - 3 Arbeitstage
    Lieferung: 31 Mai, 2013 - 03 Jun, 2013 per Expressversand
    OS X Lion (10.7)
    14,63€

    Why are you bothering to upgrade to Lion?
    If your machine is one of those that can't upgrade to the better Mountian Lion, then it's much better off remaining on Snow Leopard because of all the legacy software your running won't need to be replaced.
    The Lions and beyond won't run your PPC software, and likely most of your Intel software neither, no Rosetta!
    A older machine that can only run Lion is a dated machine, and likely due to expire soon.
    I can't see even bothering to go to Lion and having to buy all new software for a old machine, not at your stage.
    A newer 10.8 machine would be a better choice, because you know Apple releases a new OS X version every year now and the year is almost up, so if you get to 10.7, then your going to be behind again shorty anyway on the old machine, but the new machine you can upgrade OS X to the latest new version.
    It doesn't make much sense at this point and time to upgrade to Lion for you, the older machine will run best with Snow Leopard anyway.
    If you MUST use one of the OS X Lions, then I suggest a new machine, that way it can be upgraded further.
    Apple is still issuing security updates for Snow Leopard, it's got a 1/3 apx market share.
    OS X 10.4/10.5 need to upgrade, 10.6.8 ok still

  • Download Links To Older Versions Of Firefox

    Hi there,
    I work for a company called 4Projects in which we have an online application. I work as a test analyst and would like to know if you could provide me with download links to older versions of firefox.
    The versions which we require are Version 4 & 5 as some of our users have those versions installed. We require these so we can test fixes which we put in place in a test server before releasing to the live servers.
    Your help would be appriciated.
    Kind Regards
    Simon
    Test Analyst
    4Projects

    Everything you want for current Firefox 3.6 is on the FTP server here:
    * ftp://ftp.mozilla.org/pub/mozilla.org/firefox/releases/latest-3.6/
    There's two big files for all MD5 and SHA1 sums of everything. Solaris is under the contrib dir.
    The current version of Firefox 3.x is 3.6.23. Firefox 3.5 is no longer supported and Firefox 3.6 is considered a direct update (aka minor update) to Firefox 3.5; when Firefox 3.5 users check for updates they go directly to 3.6 for security and stability fixes.
    If you really need an old version for testing purposes, you can get any version of Firefox that ever existed off of the FTP server:
    * ftp://ftp.mozilla.org/pub/mozilla.org/firefox/releases/

  • Company email access denied to iphone users due to security issues, help!

    I am interested in purchasing an iphone but my company said they won't allow access to our company email with the iphone due to security issues. Any one else heard of that? Is there some way for me to forward my company email to the account I would set up under the itunes? It seems there are a lot of unhappy people out there with these phones, are there any happy users out there? It seems like such a cool device and I want one but don't want to get stuck with something I can't use or that I am going to have problems with.

    Of course there are happy users.
    These discussions are like a hospital for Mac products with nothing but problems reported here. If you based a decision on purchasing an Apple product, any product on these discussions, you would never purchase any. Coming to the conclusion here that there are no happy users and the iPhone is nothing but problems would be like visiting a local hospital in your area full of patients (all are) and coming to the conclusion that everyone in your community must be sick and/or dying.
    What type of email account - POP, IMAP or Exchange through an Exchange Server?
    Accessing an email account on an iPhone is no different than accessing the account with a computer. Funny that your company claims the iPhone has security issues and prevents access but certainly allows PCs running Windows to access company email accounts? Sorry but this is my biggest laugh of the day - not at you but at your company. Your company has loads of security issues and concerns with any version of Windows accessing their network than they would ever come close to with an iPhone accessing the incoming mail server to download messages.
    If your company allows for email account forwarding, you can do so.

  • BLOB content download link on apex report

    Hi Guys,
    I have a simple form where user can attach file and save the records. I iterate through wwv_flow_files and get the file and save it to a custom table which has BLOB column. On another report page i display uploaded file details. What i need is, there must be a column with download link when user clink the link appropriate file should be downloaded. How can i do this ?
    Really appreciate if someone can assist me on this.
    Thanks Guys.

    See About BLOB Support in Forms and Reports.
    There's an OBE tutorial that followed the introduction of declarative BLOB support in 3.1 as well. (An earlier version but it is still relevant to APEX 4.x.)
    (Please make an effort to consult the documentation and thoroughly search the forum for previous coverage of a topic. This is a much discussed question.)

  • Download link in Apex4

    Hi All,
    I have migrated Apex 3.2 to Apex 4.
    I had interactive report with download link. It was working fine but in Apex 4 ,this is not working. Could anybody please help me with this?
    Thanx
    Omy

    Hi All,
    Please help as this is urgent.
    I am giving more details:
    My Report Query is:
    SELECT
    issue_id,
    dbms_lob.getlength("P_LOG_FILE") "LOG_FILE",
    progress,
    TO_CHAR(modified_on, 'DD-Mon-YY HH:MI:SS')Mod_date,
    modified_by,
    status,
    time_spent
    FROM
    it_issues_progress
    WHERE
    issue_id =:P38_ISSUE_ID
    UNION ALL
    SELECT
    issue_id,
    null LOG_FILE,
    null progress,
    null Mod_date,
    null modified_by,
    'TOTAL',
    CAST(numtodsinterval(SUM(it_total_seconds_spent(time_spent)), 'SECOND') AS interval DAY(5) TO second(2))
    sum_test
    FROM
    it_issues_progress
    WHERE
    issue_id =:P38_ISSUE_ID
    GROUP BY
    issue_id
    Column format is DOWNLOAD:IT_ISSUES_PROGRESS:P_LOG_FILE:ISSUE_ID::P_MIME_TYPE:P_FILE_NAME:P_LAST_UPDATE::attachment:Download
    Download link was working in Apex3.2 and when I migrated to Apex 4..it stopped working. When I click on link, instead of opening that doc, it dispalyed Page cannot be displayed error.
    Please tell me what should I check?
    Thanx
    Omy

  • Problems with download

    I create a download link. It's works in the same way as in Denes Kubicek application.
    It works correctly. Then I create another one report with download link. In the second report I have a problem. When I clicked on it, I see Error page "Not found...."
    Everything is the same. I have no idea how to repair it. Does anybody have an idea what it might be?
    Regards,
    Kostya!

    The error you described happens when there is no execute granted to public on your
    procedure. Check that. Also create a public synonym. Eventually, you are missing
    the schema name in front of your procedure in the URL.The error must be somwhere
    in there.
    Denes Kubicek

  • Having trouble with downloading apps onto my iOS device(s)

    i have been having trouble for the last month id say with downloading and updating apps i have purchased onto my ipad 3 iphone 4s and its really annoying i have contaced apple but inorder for them to help me i would have to pay for each device ttechincal fee which is outragous any help....?

    Apple wants you to set your security questions. Select a question from the list and then give an answer. Do not forget the answer(s). You only need to set two, that's why it kicks you out and to the Terms and Conditions page before you get to the third. If you cannot Accept the Terms and Conditions on the device go here > Apple - My Apple ID Manage your Apple ID and set the security questions there. I suggest that you set up a recovery email while you're there. After go back to the device and try again. You may need to answer the security questions to proceed with downloads.

Maybe you are looking for

  • What are the parameters "page-forward" and "page-backward"  used for?

    In the LIMITS section of the Netscape Calendar Server configuration documentation, there are two parameters called "page-forward" and "page-backward." The default setting for these parameters is FALSE. However, it is unclear what these parameters are

  • How to include a table into transport request

    Hello, please, i want to export 2 tables into a request order, then i will import this order on an other system; is it possible? how please? Regards

  • Backlight problem on iMac?

    My display seems to be getting dimmer and yellowish.  Is this the backlight slowly failing?  If so, it is hard to replace (I've changed the hard drive, so I'm not afraid of opening up the case)? Where could I get the required part(s) and for what cos

  • GZIP-Encoded HTTP Response in adobe air and flex data service

    Hello, I am using data centric service in flash builder 4 (beta 2) to call betfair web service. The application is working well. But betfair told me to set the encoding to gzip when requesting the web service. I had used httpHeaders to add new header

  • Can;t find what is wrong. Trying to add elements in two arrays

    Hello everyone I'm trying to take as input two numbers, convert them to arrays and add all the element of the array one by one. I want the result to be the sum of every element of the array. Let's say array1={1,2,3,4} and array2={2,6,4,3} I want the