SQL Injection Produces "Wrong Name" Errors
Hi all,
By now, you're familiar with the SQL Injection attacks
floatin' around out there, but what has me puzzled is how my
ColdFusion servers are responding to them. For each SQL Injection
attempt, CF throws an application error; this is from my
APPLICATION.LOG:
"Error","jrpp-953","09/19/08","13:27:04",,"Application (wrong
name: com/ms/asp/Application) The specific sequence of files
included or processed is: D:\MySite\web\product.cfm "
I've seen others complaining about this on ColdFusion MX 6,
ColdFusion MX 7 and ColdFusion 8, but every discussion terminates
mysteriously without a solution. It's an evil conspiracy....
Any help is greatly appreciated.
Hello,
Were you able to solve this problem and how?
Thanks
Similar Messages
-
Hi,
I created a package in eclipse with 3 .java files under it.
In each of the three java files I have included the "package testpackage;" clause at the top.
My first 2 files (lets call them one.java and two.java) is referenced in three.java, thus I use the import statement for both one and two in three.java.
After I compile all 3 successfully in Eclipse, I go to the command line, to the specific directory (testpackage) and run: java one, but I get the message:
NoClassDefFoundError: 1 (wrong name: testpackage/one)
What is wrong?I found that you need to be in the PACKAGE directory when you execute the "java" command, not the directory containing the .class file(s). For example, if you have the following statement in your java program:
package buServer;
Your .class files (BUreceiver.class in my case) will reside in a directory named buServer. You need to be in the directory ABOVE the one that contains your class files (the package directory) and execute the program as shown below:
java buServer/BUreceiver
The above assumes that the current directory is in your CLASSPATH or is given by the " -cp ." on the java command line.
The basic problem, I think, is that CLASSPATH points to directories that are supposed to contain .class files. When you use a package, you have to give the fully quallified name of the class with a root beginning in one of the directories in the CLASSPATH. In my case, the "package" statement says my class should be in a <CLASSPATH>\buServer\ directory. When I was in the buServer directory (containing my .class files) and added it to the CLASSPATH, there was no <CLASSPATH>\buServer\ directory, since the buServer\ directory was inside CLASSPATH. However, when I tried to execute it without qualifying it with the "buServer", it saw the package statement in the class file that was there and gave me the "wrong name" error.
Another solution would have been to take out the package statement from the program. -
Wrong name: error with Tomcat
hello, I'm running Tomcat on Debian Sarge and I'm getting the following error:
java.lang.NoClassDefFoundError: com/bluewolf/BlueWolf (wrong name: BlueWolf)
java.lang.ClassLoader.defineClass1(Native Method)
java.lang.ClassLoader.defineClass(ClassLoader.java:620)
java.security.SecureClassLoader.defineClass(SecureClassLoader.java:124)
org.apache.catalina.loader.WebappClassLoader.findClassInternal(WebappClassLoader.java:1629)
org.apache.catalina.loader.WebappClassLoader.findClass(WebappClassLoader.java:850)
org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1299)
org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1181)
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856)
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:744)
org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
java.lang.Thread.run(Thread.java:595)
The name of my servlet is BlueWolf. I have defined my servlet in my web.xml like so:
<!-- servlet definitions -->
<servlet>
<servlet-name>BlueWolf</servlet-name>
<servlet-class>com.bluewolf.BlueWolf</servlet-class>
</servlet>
<!-- define mappings -->
<servlet-mapping>
<servlet-name>BlueWolf</servlet-name>
<url-pattern>/BlueWolf</url-pattern>
</servlet-mapping>
I've tried searching for this error but there were no fixes I found that helped my situation. Can anyone please help me out? If any more information is needed please let me know.
Thanks!Okay, I made a simpler web application. I have:
index.html
WEB-INF/
my WEF-INF directory looks like:
classes/
lib/
web.xml
my only servlet is WEB-INF/classes/com/servTest.class
I defined the servlet in my web.xml like this:
<!-- Name to Java class mapping -->
<servlet>
<servlet-name>servTest</servlet-name>
<servlet-class>com.servTest</servlet-class>
</servlet>
<!-- Name to URL mapping -->
<servlet-mapping>
<servlet-name>servTest</servlet-name>
<url-pattern>/servTest</url-pattern>
</servlet-mapping>
However, I still get the same error (NoClassDefFoundError .... wrong name: servTest blah blah)
I am trying to access the servlet by the url http://localhost:8080/servTest/servTest and I've also tried http://localhost:8080/servTest/com.servTest. I also tried linking to it in my index via a form with action="servTest". I've also tried action="com.servTest" however I still can't seem to get past this wrong name error. However, I can create servlets fine without trying to use packages (i.e. if i place .class files directly in WEB-INF/classes), but I would really like to have packages working. Can anyone see any potential errors? thanks! -
Wrong name error if I mess up url string case
Hi:
I have a url as the following: http://localhost:7001/APP/a.jsp. If I
close browser and type it as lower case url
http://localhost:7001/app/a.jsp later time, it will cause a null pointer
exception(wrong name error). Is the url case sensitivity problem been
fixed by any service pack.
Thanks,
David
Okay, I made a simpler web application. I have:
index.html
WEB-INF/
my WEF-INF directory looks like:
classes/
lib/
web.xml
my only servlet is WEB-INF/classes/com/servTest.class
I defined the servlet in my web.xml like this:
<!-- Name to Java class mapping -->
<servlet>
<servlet-name>servTest</servlet-name>
<servlet-class>com.servTest</servlet-class>
</servlet>
<!-- Name to URL mapping -->
<servlet-mapping>
<servlet-name>servTest</servlet-name>
<url-pattern>/servTest</url-pattern>
</servlet-mapping>
However, I still get the same error (NoClassDefFoundError .... wrong name: servTest blah blah)
I am trying to access the servlet by the url http://localhost:8080/servTest/servTest and I've also tried http://localhost:8080/servTest/com.servTest. I also tried linking to it in my index via a form with action="servTest". I've also tried action="com.servTest" however I still can't seem to get past this wrong name error. However, I can create servlets fine without trying to use packages (i.e. if i place .class files directly in WEB-INF/classes), but I would really like to have packages working. Can anyone see any potential errors? thanks! -
Annoying-as-hell 'wrong name' error
Hi all,
Okay, so I've got a Java app that compiles fine (ProxyTool.class), and works fine in Eclipse... but when I try to call it from the command-line (java ProxyTool), I'm getting this un-useful and un-helpful error: java.lang.NoClassDefFoundError: ProxyTool (wrong name: test/sys/ProxyTool).
I then attempt to do java /test/sys/ProxyTool, and I get java.lang.NoClassDefFoundError test/sys/ProxyTool.
Can someone please just tell me what I need to run this g*ddamn app? This is driving me nuts.mracuraintegra wrote:
I had run the previous command from the package root - I simply thought I had to give a full path to the .class files. Simply using "bin" instead of the full path worked.Of course it worked, that's what I told you to do in the first place.
I completely understand (I think) the concept of a package as a logical container. I am completely baffled as to why it is this finicky in Java. I'm assuming the .NET equivalent is a namespace, and it's not nearly this termpermental!It is not finicky, you were just doing random stuff instead of reading the documentation on how packages work.
http://java.sun.com/docs/books/tutorial/java/package/managingfiles.html -
I've created a package in SSDT (Visual Studio 2012) to import DBF tables into MSSQL 2014 via a wizard.
Source DBF files contain tables with Russian (Cyrillic) characters in records fields.
Created package works fine, produces correct results (imports Cyrillic characters as needed) while:
•debugging in VS2012
•deploying package in SSISDB and running the package via PowerShell x86:
&"c:\Program Files (x86)\Microsoft SQL Server\120\DTS\Binn\DTExec.exe" /Server "server\mssql2014" /ISServer "\SSISDB\import\Integration Services Project16\Package1.dtsx";
But when I create a SQL Agent job with a single PowerShell step that contains the same command and run the job it produces wrong characters in resulting tables. So, the problem is in wrong code page (or encoding). The correct tables with records are
produced and job runs without errors.
I tried
chcp 1251; # 855, 866 -- all of them
&"c:\Program Files (x86)\Microsoft SQL Server\120\DTS\Binn\DTExec.exe" /Server "server\mssql2014" /ISServer "\SSISDB\import\Integration Services Project16\Package1.dtsx";
in SQL Agent PowerShell step, but with no positive result.
Anyone encountered such a behavior? How to fix it?
vWhat if you run this package without PowerShell?
Arthur My Blog -
Error building project using kXML2 - "Class loading error: Wrong name"
Hi,
I'm testing the XML-Parser KXML2 and downloaded the latest package, but the minimal version (kxml2-min.zip). I put this file into the directory "%j2mewtk%\apps\KxmlTest\lib" and wrote the lines
import org.kxml2.io.*;
import org.xmlpull.v1.*;
When I try to build the project with the Wireless Toolkit (v1.04) it spits out the following error:
Error preverifying class kxml2.io.KXmlParser
Class loading error: Wrong name
com.sun.kvem.ktools.ExecutionException: Preverifier returned 1
Build failed
I also tried the full package "kxml2.zip" but the same error occurs.
How can I get rid of this? Thanks in advance!Okay, finally worked it out (hopefully). I unpacked the archive to a directory (say "%J2MEWTK%\apps\KxmlTest\tmpclasses") and then preverified them "manually":
%J2SDK%\bin\preverify.exe -classpath "%J2MEWTK%\apps\KxmlTest\tmpclasses";"%J2MEWTK%\lib\midpapi.zip" org.kxml2.io.KXmlParser
%J2SDK%\bin\preverify.exe -classpath "%J2MEWTK%\apps\KxmlTest\tmpclasses";"%J2MEWTK%\lib\midpapi.zip" org.xmlpull.v1.XmlPullParser
%J2SDK%\bin\preverify.exe -classpath "%J2MEWTK%\apps\KxmlTest\tmpclasses";"%J2MEWTK%\lib\midpapi.zip" org.xmlpull.v1.XmlPullParserException
Then I packed them again to a jar-file:
%J2SDK%\bin\jar.exe -cvf kxml2-min.jar %J2MEWTK%\apps\KxmlTest\tmpclasses\output\.
That was all! -
Hi All,
I have started receiving this error in the logs for the last 10 days and the Schedules Jobs for the database have stopped running. My MS CRM application is working fine.
Can anyone guide me what could be the problem.
Date 17/4/2014 2:04:20 PM
Log SQL Server Agent (Current - 17/4/2014 2:01:00 PM)
Message
[298] SQLServer Error: 10061,
A network-related or instance-specific error has occurred while establishing a connection to SQL Server. Server is not found or not accessible. Check if instance name is correct
and if SQL Server is configured to allow remote connections. For more information see SQL Server Books Online. [SQLSTATE 08001]
Date 17/4/2014 2:11:55 PM
Log SQL Server Agent (Current - 17/4/2014 2:01:00 PM)
Message
[298] SQLServer Error: 10061,
A network-related or instance-specific error
has occurred while establishing a connection to SQL Server. Server is not found or not accessible. Check if instance name is correct and if SQL Server is configured to allow remote connections. For more information
see SQL Server Books Online. [SQLSTATE 08001]
Date 7/4/2014 11:00:31 AM
Log SQL Server Agent (Current - 17/4/2014 2:01:00 PM)
Message
[298] SQLServer Error: 10061,
A network-related or instance-specific error
has occurred while establishing a connection to SQL Server. Server is not found or not accessible. Check if instance name is correct and if SQL Server is configured to allow remote connections. For more information
see SQL Server Books Online. [SQLSTATE 08001]Check this link
http://social.msdn.microsoft.com/Forums/en-US/906da9b5-2482-468c-a424-ae099da2d96b/sql-server-agent-service-account-error?forum=sqlsetupandupgrade
Regards, RSingh -
I am getting below error when the weblogic server starts. Can somebody help on this.
DS (XreferenceDB) creation was successful but could not test (Not available in Testing tab).
####<Jul 3, 2012 7:18:14 PM IST> <Error> <Deployer> <PC165237> <AdminServer> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1341323294981> <BEA-149231> <Unable to set the activation state to true for the application 'XreferenceDB'.
java.lang.NoClassDefFoundError: t : T (wrong name t)
at java.lang.ClassLoader.defineClass1(Native Method)
at java.lang.ClassLoader.defineClass(ClassLoader.java:616)
at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:124)
at java.net.URLClassLoader.defineClass(URLClassLoader.java:260)
at java.net.URLClassLoader.access$000(URLClassLoader.java:56)
at java.net.URLClassLoader$1.run(URLClassLoader.java:195)
at java.net.URLClassLoader.findClass(URLClassLoader.java:188)
at java.lang.ClassLoader.loadClass(ClassLoader.java:303)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308)
at java.lang.ClassLoader.loadClass(ClassLoader.java:296)
at java.lang.ClassLoader.loadClass(ClassLoader.java:296)
at java.lang.ClassLoader.loadClass(ClassLoader.java:248)
at weblogic.utils.classloaders.GenericClassLoader.loadClass(GenericClassLoader.java:177)
at weblogic.utils.classloaders.FilteringClassLoader.findClass(FilteringClassLoader.java:101)
at weblogic.utils.classloaders.FilteringClassLoader.loadClass(FilteringClassLoader.java:86)
at java.lang.ClassLoader.loadClass(ClassLoader.java:296)
at java.lang.ClassLoader.loadClass(ClassLoader.java:248)
at weblogic.utils.classloaders.GenericClassLoader.loadClass(GenericClassLoader.java:177)
at weblogic.rmi.internal.GenericMethodDescriptor.getActualClassName(GenericMethodDescriptor.java:216)
at weblogic.rmi.internal.GenericMethodDescriptor.access$100(GenericMethodDescriptor.java:19)
at weblogic.rmi.internal.GenericMethodDescriptor$TypeParameter.<init>(GenericMethodDescriptor.java:250)
at weblogic.rmi.internal.GenericMethodDescriptor.parseParams(GenericMethodDescriptor.java:111)
at weblogic.rmi.internal.GenericMethodDescriptor.parseGenericParameter(GenericMethodDescriptor.java:151)
at weblogic.rmi.internal.GenericMethodDescriptor.parseParams(GenericMethodDescriptor.java:109)
at weblogic.rmi.internal.GenericMethodDescriptor.computeGenericMethodSignature(GenericMethodDescriptor.java:75)
at weblogic.rmi.internal.GenericMethodDescriptor.computeGenericMethodSignature(GenericMethodDescriptor.java:46)
at weblogic.rmi.internal.BasicRuntimeDescriptor.initRemoteMethods(BasicRuntimeDescriptor.java:715)
at weblogic.rmi.internal.BasicRuntimeDescriptor.initializeRuntimeDescriptor(BasicRuntimeDescriptor.java:244)
at weblogic.rmi.internal.BasicRuntimeDescriptor.<init>(BasicRuntimeDescriptor.java:155)
at weblogic.rmi.internal.BasicRuntimeDescriptor.<init>(BasicRuntimeDescriptor.java:139)
at weblogic.rmi.internal.DescriptorManager.createRuntimeDescriptor(DescriptorManager.java:106)
at weblogic.rmi.internal.DescriptorManager.getBasicRuntimeDescriptor(DescriptorManager.java:85)
at weblogic.rmi.internal.DescriptorManager.getDescriptor(DescriptorManager.java:51)
at weblogic.rmi.internal.DescriptorManager.getDescriptor(DescriptorManager.java:37)
at weblogic.rmi.internal.OIDManager.makeServerReference(OIDManager.java:194)
at weblogic.rmi.internal.OIDManager.getReplacement(OIDManager.java:175)
at weblogic.rmi.utils.io.RemoteObjectReplacer.replaceRemote(RemoteObjectReplacer.java:120)
at weblogic.rmi.utils.io.RemoteObjectReplacer.replaceObject(RemoteObjectReplacer.java:103)
at weblogic.rmi.extensions.server.ServerHelper.replaceAndResolveRemoteObject(ServerHelper.java:403)
at weblogic.jndi.internal.WLEventContextImpl.copyObject(WLEventContextImpl.java:381)
at weblogic.jndi.internal.WLEventContextImpl.bind(WLEventContextImpl.java:276)
at javax.naming.InitialContext.bind(InitialContext.java:400)
at weblogic.jdbc.common.internal.JDBCUtil.bindDeeply(JDBCUtil.java:147)
at weblogic.jdbc.common.internal.JDBCUtil.bindAll(JDBCUtil.java:85)
at weblogic.jdbc.common.internal.RmiDataSource.start(RmiDataSource.java:394)
at weblogic.jdbc.common.internal.DataSourceManager.createAndStartDataSource(DataSourceManager.java:136)
at weblogic.jdbc.common.internal.DataSourceManager.createAndStartDataSource(DataSourceManager.java:97)
at weblogic.jdbc.module.JDBCModule.activate(JDBCModule.java:347)
at weblogic.application.internal.flow.ModuleListenerInvoker.activate(ModuleListenerInvoker.java:227)
at weblogic.application.internal.flow.DeploymentCallbackFlow$2.next(DeploymentCallbackFlow.java:531)
at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:41)
at weblogic.application.internal.flow.DeploymentCallbackFlow.activate(DeploymentCallbackFlow.java:165)
at weblogic.application.internal.flow.DeploymentCallbackFlow.activate(DeploymentCallbackFlow.java:157)
at weblogic.application.internal.BaseDeployment$2.next(BaseDeployment.java:1267)
at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:41)
at weblogic.application.internal.BaseDeployment.activate(BaseDeployment.java:409)
at weblogic.application.internal.SingleModuleDeployment.activate(SingleModuleDeployment.java:43)
at weblogic.application.internal.DeploymentStateChecker.activate(DeploymentStateChecker.java:161)
at weblogic.deploy.internal.targetserver.AppContainerInvoker.activate(AppContainerInvoker.java:79)
at weblogic.deploy.internal.targetserver.BasicDeployment.activate(BasicDeployment.java:184)
at weblogic.deploy.internal.targetserver.BasicDeployment.activateFromServerLifecycle(BasicDeployment.java:361)
at weblogic.management.deploy.internal.DeploymentAdapter$1.doPrepare(DeploymentAdapter.java:42)
at weblogic.management.deploy.internal.DeploymentAdapter.prepare(DeploymentAdapter.java:191)
at weblogic.management.deploy.internal.AppTransition$1.transitionApp(AppTransition.java:21)
at weblogic.management.deploy.internal.ConfiguredDeployments.transitionApps(ConfiguredDeployments.java:240)
at weblogic.management.deploy.internal.ConfiguredDeployments.prepare(ConfiguredDeployments.java:165)
at weblogic.management.deploy.internal.ConfiguredDeployments.deploy(ConfiguredDeployments.java:122)
at weblogic.management.deploy.internal.DeploymentServerService.resume(DeploymentServerService.java:180)
at weblogic.management.deploy.internal.DeploymentServerService.start(DeploymentServerService.java:96)
at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
###<Jul 3, 2012 7:18:15 PM IST> <Info> <Common> <PC165237> <AdminServer> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1341323295059> <BEA-000626> <Free resources in pool "mds-owsm" will be tested every "300" seconds.>
####<Jul 3, 2012 7:18:15 PM IST> <Info> <JDBC> <PC165237> <AdminServer> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1341323295075> <BEA-001124> <Created Connection Pool named mds-owsm.>
####<Jul 3, 2012 7:18:15 PM IST> <Info> <JDBC> <PC165237> <AdminServer> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1341323295122> <BEA-001174> <Creating Data Source named mds-owsm, JNDI Name = jdbc/mds/owsm.>
####<Jul 3, 2012 7:18:15 PM IST> <Error> <Deployer> <PC165237> <AdminServer> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1341323295122> <BEA-149231> <Unable to set the activation state to true for the application 'mds-owsm'.
java.lang.NoClassDefFoundError: t : T (wrong name t)
at java.lang.ClassLoader.defineClass1(Native Method)
at java.lang.ClassLoader.defineClass(ClassLoader.java:616)
at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:124)
at java.net.URLClassLoader.defineClass(URLClassLoader.java:260)
at java.net.URLClassLoader.access$000(URLClassLoader.java:56)
at java.net.URLClassLoader$1.run(URLClassLoader.java:195)
at java.net.URLClassLoader.findClass(URLClassLoader.java:188)
at java.lang.ClassLoader.loadClass(ClassLoader.java:303)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308)
at java.lang.ClassLoader.loadClass(ClassLoader.java:296)
at java.lang.ClassLoader.loadClass(ClassLoader.java:296)
at java.lang.ClassLoader.loadClass(ClassLoader.java:248)
at weblogic.utils.classloaders.GenericClassLoader.loadClass(GenericClassLoader.java:177)
at weblogic.utils.classloaders.FilteringClassLoader.findClass(FilteringClassLoader.java:101)
at weblogic.utils.classloaders.FilteringClassLoader.loadClass(FilteringClassLoader.java:86)
at java.lang.ClassLoader.loadClass(ClassLoader.java:296)
at java.lang.ClassLoader.loadClass(ClassLoader.java:248)
at weblogic.utils.classloaders.GenericClassLoader.loadClass(GenericClassLoader.java:177)
at weblogic.rmi.internal.GenericMethodDescriptor.getActualClassName(GenericMethodDescriptor.java:216)
at weblogic.rmi.internal.GenericMethodDescriptor.access$100(GenericMethodDescriptor.java:19)
at weblogic.rmi.internal.GenericMethodDescriptor$TypeParameter.<init>(GenericMethodDescriptor.java:250)
at weblogic.rmi.internal.GenericMethodDescriptor.parseParams(GenericMethodDescriptor.java:111)
at weblogic.rmi.internal.GenericMethodDescriptor.parseGenericParameter(GenericMethodDescriptor.java:151)
at weblogic.rmi.internal.GenericMethodDescriptor.parseParams(GenericMethodDescriptor.java:109)
at weblogic.rmi.internal.GenericMethodDescriptor.computeGenericMethodSignature(GenericMethodDescriptor.java:75)
at weblogic.rmi.internal.GenericMethodDescriptor.computeGenericMethodSignature(GenericMethodDescriptor.java:46)
at weblogic.rmi.internal.BasicRuntimeDescriptor.initRemoteMethods(BasicRuntimeDescriptor.java:715)
at weblogic.rmi.internal.BasicRuntimeDescriptor.initializeRuntimeDescriptor(BasicRuntimeDescriptor.java:244)
at weblogic.rmi.internal.BasicRuntimeDescriptor.<init>(BasicRuntimeDescriptor.java:155)
at weblogic.rmi.internal.BasicRuntimeDescriptor.<init>(BasicRuntimeDescriptor.java:139)
at weblogic.rmi.internal.DescriptorManager.createRuntimeDescriptor(DescriptorManager.java:106)
at weblogic.rmi.internal.DescriptorManager.getBasicRuntimeDescriptor(DescriptorManager.java:85)
at weblogic.rmi.internal.DescriptorManager.getDescriptor(DescriptorManager.java:51)
at weblogic.rmi.internal.DescriptorManager.getDescriptor(DescriptorManager.java:37)
at weblogic.rmi.internal.OIDManager.makeServerReference(OIDManager.java:194)
at weblogic.rmi.internal.OIDManager.getReplacement(OIDManager.java:175)
at weblogic.rmi.utils.io.RemoteObjectReplacer.replaceRemote(RemoteObjectReplacer.java:120)
at weblogic.rmi.utils.io.RemoteObjectReplacer.replaceObject(RemoteObjectReplacer.java:103)
at weblogic.rmi.extensions.server.ServerHelper.replaceAndResolveRemoteObject(ServerHelper.java:403)
at weblogic.jndi.internal.WLEventContextImpl.copyObject(WLEventContextImpl.java:381)
at weblogic.jndi.internal.WLEventContextImpl.bind(WLEventContextImpl.java:276)
at weblogic.jdbc.common.internal.JDBCUtil.bindDeeply(JDBCUtil.java:147)
at weblogic.jdbc.common.internal.JDBCUtil.bindAll(JDBCUtil.java:85)
at weblogic.jdbc.common.internal.RmiDataSource.start(RmiDataSource.java:394)
at weblogic.jdbc.common.internal.DataSourceManager.createAndStartDataSource(DataSourceManager.java:136)
at weblogic.jdbc.common.internal.DataSourceManager.createAndStartDataSource(DataSourceManager.java:97)
at weblogic.jdbc.module.JDBCModule.activate(JDBCModule.java:347)
at weblogic.application.internal.flow.ModuleListenerInvoker.activate(ModuleListenerInvoker.java:227)
at weblogic.application.internal.flow.DeploymentCallbackFlow$2.next(DeploymentCallbackFlow.java:531)
at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:41)
at weblogic.application.internal.flow.DeploymentCallbackFlow.activate(DeploymentCallbackFlow.java:165)
at weblogic.application.internal.flow.DeploymentCallbackFlow.activate(DeploymentCallbackFlow.java:157)
at weblogic.application.internal.BaseDeployment$2.next(BaseDeployment.java:1267)
at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:41)
at weblogic.application.internal.BaseDeployment.activate(BaseDeployment.java:409)
at weblogic.application.internal.SingleModuleDeployment.activate(SingleModuleDeployment.java:43)
at weblogic.application.internal.DeploymentStateChecker.activate(DeploymentStateChecker.java:161)
at weblogic.deploy.internal.targetserver.AppContainerInvoker.activate(AppContainerInvoker.java:79)
at weblogic.deploy.internal.targetserver.BasicDeployment.activate(BasicDeployment.java:184)
at weblogic.deploy.internal.targetserver.BasicDeployment.activateFromServerLifecycle(BasicDeployment.java:361)
at weblogic.management.deploy.internal.DeploymentAdapter$1.doPrepare(DeploymentAdapter.java:42)
at weblogic.management.deploy.internal.DeploymentAdapter.prepare(DeploymentAdapter.java:191)
at weblogic.management.deploy.internal.AppTransition$1.transitionApp(AppTransition.java:21)
at weblogic.management.deploy.internal.ConfiguredDeployments.transitionApps(ConfiguredDeployments.java:240)
at weblogic.management.deploy.internal.ConfiguredDeployments.prepare(ConfiguredDeployments.java:165)
at weblogic.management.deploy.internal.ConfiguredDeployments.deploy(ConfiguredDeployments.java:122)
at weblogic.management.deploy.internal.DeploymentServerService.resume(DeploymentServerService.java:180)
at weblogic.management.deploy.internal.DeploymentServerService.start(DeploymentServerService.java:96)
at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
Edited by: 944382 on Jul 4, 2012 2:34 AMError while creating and saving the DS...
####<Jul 3, 2012 7:18:13 PM IST> <Info> <JDBC> <PC165237> <AdminServer> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1341323293059> <BEA-001517> <Connection Pool "XreferenceDB" using Driver: "Oracle JDBC driver", Version: "11.1.0.7.0-Production".>
####<Jul 3, 2012 7:18:14 PM IST> <Info> <Common> <PC165237> <AdminServer> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1341323294856> <BEA-000628> <Created "1" resources for pool "XreferenceDB", out of which "1" are available and "0" are unavailable.>
####<Jul 3, 2012 7:18:14 PM IST> <Info> <JDBC> <PC165237> <AdminServer> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1341323294856> <BEA-001124> <Created Connection Pool named XreferenceDB.>
####<Jul 3, 2012 7:18:14 PM IST> <Info> <JDBC> <PC165237> <AdminServer> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1341323294903> <BEA-001174> <Creating Data Source named XreferenceDB, JNDI Name = Xreference.>
####<Jul 3, 2012 7:18:14 PM IST> <Error> <Deployer> <PC165237> <AdminServer> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1341323294981> <BEA-149231> <Unable to set the activation state to true for the application 'XreferenceDB'.
java.lang.NoClassDefFoundError: t : T (wrong name t)
at java.lang.ClassLoader.defineClass1(Native Method)
at java.lang.ClassLoader.defineClass(ClassLoader.java:616)
at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:124)
at java.net.URLClassLoader.defineClass(URLClassLoader.java:260)
at java.net.URLClassLoader.access$000(URLClassLoader.java:56)
at java.net.URLClassLoader$1.run(URLClassLoader.java:195)
at java.net.URLClassLoader.findClass(URLClassLoader.java:188)
at java.lang.ClassLoader.loadClass(ClassLoader.java:303)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308)
at java.lang.ClassLoader.loadClass(ClassLoader.java:296)
at java.lang.ClassLoader.loadClass(ClassLoader.java:296)
at java.lang.ClassLoader.loadClass(ClassLoader.java:248)
at weblogic.utils.classloaders.GenericClassLoader.loadClass(GenericClassLoader.java:177)
at weblogic.utils.classloaders.FilteringClassLoader.findClass(FilteringClassLoader.java:101)
at weblogic.utils.classloaders.FilteringClassLoader.loadClass(FilteringClassLoader.java:86)
at java.lang.ClassLoader.loadClass(ClassLoader.java:296)
at java.lang.ClassLoader.loadClass(ClassLoader.java:248)
at weblogic.utils.classloaders.GenericClassLoader.loadClass(GenericClassLoader.java:177)
at weblogic.rmi.internal.GenericMethodDescriptor.getActualClassName(GenericMethodDescriptor.java:216)
at weblogic.rmi.internal.GenericMethodDescriptor.access$100(GenericMethodDescriptor.java:19)
at weblogic.rmi.internal.GenericMethodDescriptor$TypeParameter.<init>(GenericMethodDescriptor.java:250)
at weblogic.rmi.internal.GenericMethodDescriptor.parseParams(GenericMethodDescriptor.java:111)
at weblogic.rmi.internal.GenericMethodDescriptor.parseGenericParameter(GenericMethodDescriptor.java:151)
at weblogic.rmi.internal.GenericMethodDescriptor.parseParams(GenericMethodDescriptor.java:109)
at weblogic.rmi.internal.GenericMethodDescriptor.computeGenericMethodSignature(GenericMethodDescriptor.java:75)
at weblogic.rmi.internal.GenericMethodDescriptor.computeGenericMethodSignature(GenericMethodDescriptor.java:46)
at weblogic.rmi.internal.BasicRuntimeDescriptor.initRemoteMethods(BasicRuntimeDescriptor.java:715)
at weblogic.rmi.internal.BasicRuntimeDescriptor.initializeRuntimeDescriptor(BasicRuntimeDescriptor.java:244)
at weblogic.rmi.internal.BasicRuntimeDescriptor.<init>(BasicRuntimeDescriptor.java:155)
at weblogic.rmi.internal.BasicRuntimeDescriptor.<init>(BasicRuntimeDescriptor.java:139)
at weblogic.rmi.internal.DescriptorManager.createRuntimeDescriptor(DescriptorManager.java:106)
at weblogic.rmi.internal.DescriptorManager.getBasicRuntimeDescriptor(DescriptorManager.java:85)
at weblogic.rmi.internal.DescriptorManager.getDescriptor(DescriptorManager.java:51)
at weblogic.rmi.internal.DescriptorManager.getDescriptor(DescriptorManager.java:37)
at weblogic.rmi.internal.OIDManager.makeServerReference(OIDManager.java:194)
at weblogic.rmi.internal.OIDManager.getReplacement(OIDManager.java:175)
at weblogic.rmi.utils.io.RemoteObjectReplacer.replaceRemote(RemoteObjectReplacer.java:120)
at weblogic.rmi.utils.io.RemoteObjectReplacer.replaceObject(RemoteObjectReplacer.java:103)
at weblogic.rmi.extensions.server.ServerHelper.replaceAndResolveRemoteObject(ServerHelper.java:403)
at weblogic.jndi.internal.WLEventContextImpl.copyObject(WLEventContextImpl.java:381)
at weblogic.jndi.internal.WLEventContextImpl.bind(WLEventContextImpl.java:276)
at javax.naming.InitialContext.bind(InitialContext.java:400)
at weblogic.jdbc.common.internal.JDBCUtil.bindDeeply(JDBCUtil.java:147)
at weblogic.jdbc.common.internal.JDBCUtil.bindAll(JDBCUtil.java:85)
at weblogic.jdbc.common.internal.RmiDataSource.start(RmiDataSource.java:394)
at weblogic.jdbc.common.internal.DataSourceManager.createAndStartDataSource(DataSourceManager.java:136)
at weblogic.jdbc.common.internal.DataSourceManager.createAndStartDataSource(DataSourceManager.java:97)
at weblogic.jdbc.module.JDBCModule.activate(JDBCModule.java:347)
at weblogic.application.internal.flow.ModuleListenerInvoker.activate(ModuleListenerInvoker.java:227)
at weblogic.application.internal.flow.DeploymentCallbackFlow$2.next(DeploymentCallbackFlow.java:531)
at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:41)
at weblogic.application.internal.flow.DeploymentCallbackFlow.activate(DeploymentCallbackFlow.java:165)
at weblogic.application.internal.flow.DeploymentCallbackFlow.activate(DeploymentCallbackFlow.java:157)
at weblogic.application.internal.BaseDeployment$2.next(BaseDeployment.java:1267)
at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:41)
at weblogic.application.internal.BaseDeployment.activate(BaseDeployment.java:409)
at weblogic.application.internal.SingleModuleDeployment.activate(SingleModuleDeployment.java:43)
at weblogic.application.internal.DeploymentStateChecker.activate(DeploymentStateChecker.java:161)
at weblogic.deploy.internal.targetserver.AppContainerInvoker.activate(AppContainerInvoker.java:79)
at weblogic.deploy.internal.targetserver.BasicDeployment.activate(BasicDeployment.java:184)
at weblogic.deploy.internal.targetserver.BasicDeployment.activateFromServerLifecycle(BasicDeployment.java:361)
at weblogic.management.deploy.internal.DeploymentAdapter$1.doPrepare(DeploymentAdapter.java:42)
at weblogic.management.deploy.internal.DeploymentAdapter.prepare(DeploymentAdapter.java:191)
at weblogic.management.deploy.internal.AppTransition$1.transitionApp(AppTransition.java:21)
at weblogic.management.deploy.internal.ConfiguredDeployments.transitionApps(ConfiguredDeployments.java:240)
at weblogic.management.deploy.internal.ConfiguredDeployments.prepare(ConfiguredDeployments.java:165)
at weblogic.management.deploy.internal.ConfiguredDeployments.deploy(ConfiguredDeployments.java:122)
at weblogic.management.deploy.internal.DeploymentServerService.resume(DeploymentServerService.java:180)
at weblogic.management.deploy.internal.DeploymentServerService.start(DeploymentServerService.java:96)
at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
Edited by: 944382 on Jul 5, 2012 4:28 AM -
ODI Agent error: java.sql.SQLException: Invalid column name
When running a scenairo on a standalone ODI agent, it hangs on "Wait" state. The ODI agent's log is logging the following errors over and over again.
We are in Fusion Application Development and are using Middleware D8B4A RC5.
[2011-01-07T14:35:16.381-08:00] [odi] [WARNING] [] [oracle.odi.agent] [tid: 4215] [ecid: 0000IpYbCrKE8TQRyaJ7D01D8^zE00009o,0] /oraclediagent/invoke.do[[
oracle.odi.core.security.SecurityManager.doODIInternalAuthentication(SecurityManager.java:356)
oracle.odi.core.security.SecurityManager.createAuthentication(SecurityManager.java:331)
oracle.odi.runtime.agent.servlet.AgentServlet.doPost(AgentServlet.java:418)
javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:503)
org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:389)
org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216)
org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:181)
org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:765)
org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:417)
org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
org.mortbay.jetty.Server.handle(Server.java:326)
org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:534)
org.mortbay.jetty.HttpConnection$RequestHandler.content(HttpConnection.java:879)
org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:749)
org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:219)
org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:404)
org.mortbay.jetty.bio.SocketConnector$Connection.run(SocketConnector.java:228)
org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:520)
[2011-01-07T14:35:18.341-08:00] [] [ERROR] [ODI-1131] [] [tid: 4214] [ecid: 0000IpYaiZCE8TQRyaJ7D01D8^zE00009n,0] [arg: OracleDiAgent] [arg: java.sql.SQLException: Invalid column name] Agent OracleDiAgent encountered an error: java.sql.SQLException: Invalid column nameAre you sure the datasources point to the right master/work configuration, and that your repository is correctly up-to-date? This looks like the agent trying to connect a repository, but the repository is not updated correctly, or misses some columns. The whole stack (and the name of the missing column) would help of course.
-
I am getting following error in each module of SAP B1 9.0 and hence unable to use SAP b'coz I can't add or change any document b'coz of this error.
Error : [Microsoft][SQL Server Native Client 10.0][SQL Server]Invalid object name 'UNKNOW ERROR'. (CINF)
please help me to resolve this issue.I am getting following error in each module of SAP B1 9.0 and hence unable to use SAP b'coz I can't add or change any document b'coz of this error.
Error : [Microsoft][SQL Server Native Client 10.0][SQL Server]Invalid object name 'UNKNOW ERROR'. (CINF)
please help me to resolve this issue. -
SQL Injection and variable substitutions
Hello helpful forum, I'm trying to understand what really goes on "behind" the scenes
with the variable substitutions in order to protect from sql injections.
I'm using apex 3.0.0.00.20
The trickiest component seems to be a Report of type "pl/sql returning sql", since
multiple dynamic sql interpretations are done there.
consider the following innocent looking disaster:
DECLARE
l_out VARCHAR2(2000);
BEGIN
l_out := 'select * from test_injection t where t.name like ''%' || :NAME || '%''';
RETURN l_out;
END;
if NAME is a single quote the report will return:
failed to parse SQL query: ORA-00911: invalid character
which hints to the fact that NAME is not escaped, and you are in fact able to access db functions
as in: '||lower('S')||'
I also tried to put there a function that runs in a autonomous transaction to log its calls, and
I see that it's called five times for each request.
consider now the similar solution (notice the two single quotes):
DECLARE
l_out VARCHAR2(2000);
BEGIN
l_out := 'select * from test_injection t where t.name like ''%'' || :NAME || ''%''';
RETURN l_out;
END;
with this second example nothing of the above is possible.
So my theory (please confirm it or refute it) is that there is a first variable substitution done
at the pl/sql level (and in the second case :NAME is just a string so nothing is substituted).
Then the dynamic sql is executed and it returns the following string:
select * from test_injection t where t.name like '%' || :NAME || '%'
now another substitution is done (at an "APEX" level) and then query is finally executed to return
the rows to the report.
The tricky point seems to be that the first substitution doesn't escape the variable (hence the error
with the single quote), while the second substitution does.
Please let me know if this makes sense and what are the proper guidelines to avoid sql injection with
the different kinds of reports and components (SQL, pl/sql returning sql, processes, ...)
ThanksGiovanni,
You should build report regions like this using the second method so that all bind variables (colon followed by name) appear in the resultant varchar2 variable, l_out in your example, which will then be parsed as the report query. This addresses not only the SQL injection problem but the shared-pool friendliness problem.
Scott -
Invalid subreport name Error code:-2147483086
The setup used in this particular environment is to run reports via Crystal reports server 2008. We call the servers via the rassdk_java_dg_12_en and the setup works just fine BUT in one particular case.
The report that fails have a main report with a datasource to SQL. The report does have about 20 - 25 subreports mostly based on the same datasource. There are however 6 subreports that uses ttx files as datasources.
The report works fine when there is no data for the ttx subreports, but whenever a "change datasource" is tried to the ttx subreports the error "Invalid subreport name Error code:-2147483086" pops up.
We have done noumerous tests on the pojo approach in other reports so the technic and code works just fine - it most be some special case in the report.
Before we start to try to rebuild the report we will give you a chance to help us out. The report sucker is big and complex so a rebuild is not wanted...
Here is the particular code involved
private static void passPOJO(ReportClientDocument clientDoc,
ReportPojoHolder pojoHolder, String reportName)
throws ReportSDKException,ClassNotFoundException {
//Its a pojo data source, but it's nothing in it
if (pojoHolder.getPojos().size() == 0) {
return;
String reportTable = pojoHolder.getTableName();
Object pojo = pojoHolder.getPojos().iterator().next();
POJOResultSetFactory factory = new POJOResultSetFactory(pojo.getClass());
POJOResultSet resultSet = (POJOResultSet)factory.createResultSet(pojoHolder.getPojos());
if(reportName == null || reportName.equals("")) {
clientDoc.getDatabaseController().setDataSource(resultSet, reportTable, reportTable);
else {
System.err.println("Setting data in " + reportName );
//Here comes the error
clientDoc.getSubreportController().getSubreport(reportName).
getDatabaseController().setDataSource(resultSet, reportTable, reportTable);
Here is the stacktrace:
table: srptMainCustomerList;1, subrapport: AddressField
table: srptusrinf;1, subrapport: AdvisorName
table: srptusrinf;1, pojo: Beta
table: srptusrinf;1, pojo: JensensAlpha
table: srptusrinf;1, pojo: PerformanceChart
Setting data in PerformanceChart
2009-02-06 09:05:31,720 ERROR (CrystalReportServlet:doGet()) - [Username=Patrik Andrén, UserID=n249060, CustId=005563741684, Cstid=37385] - (Creation of report: customer_report.rpt failed on: [ReportAppServer: CCA1CS0569. Datasource: cca1cd0046qa1|omega] com.crystaldecisions.sdk.occa.report.lib.ReportSDKServerException:
Fel i filen customer_report {CDCDCEC2-050C-4405-865C-6031D4BFF2DE}.rpt:
Ogiltigt underrapportnamn.---- Error code:-2147483086 Error code name:failed, ) - [applicationId=omega, omegaUserId=omega.userid, credentials=IT, groupName=IT, sessionId=yLkhJLtYpLlDQ5Jf5S2GkzhPfSZJBg2zZkT4LfQ0L1bJg2v20pz2!-2033571304!1233906968432, requestId=06968853:167:000], exception-stack=
com.nordea.omega.report.exceptions.ReportGenerationFailedException: Creation of report: customer_report.rpt failed on: [ReportAppServer: CCA1CS0569. Datasource: cca1cd0046qa1|omega] com.crystaldecisions.sdk.occa.report.lib.ReportSDKServerException:
Fel i filen customer_report {CDCDCEC2-050C-4405-865C-6031D4BFF2DE}.rpt:
Ogiltigt underrapportnamn.---- Error code:-2147483086 Error code name:failed,
at com.crystaldecisions.sdk.occa.report.lib.ReportSDKServerException.throwReportSDKServerException(Unknown Source)
at com.crystaldecisions.proxy.remoteagent.s.a(Unknown Source)
at com.crystaldecisions.sdk.occa.report.application.ReportClientDocument.if(Unknown Source)
at com.crystaldecisions.sdk.occa.report.application.ReportClientDocument.a(Unknown Source)
at com.crystaldecisions.sdk.occa.report.application.bl.do(Unknown Source)
at com.crystaldecisions.sdk.occa.report.application.ReportClientDocument.do(Unknown Source)
at com.crystaldecisions.sdk.occa.report.application.ReportClientDocument.verifyDatabase(Unknown Source)
at com.crystaldecisions.sdk.occa.report.application.bl.byte(Unknown Source)
at com.crystaldecisions.sdk.occa.report.application.ao.onDataSourceChanged(Unknown Source)
at com.crystaldecisions.sdk.occa.report.application.DatabaseController.a(Unknown Source)
at com.crystaldecisions.sdk.occa.report.application.DatabaseController.a(Unknown Source)
at com.crystaldecisions.sdk.occa.report.application.DatabaseController.setDataSource(Unknown Source)
at com.nordea.crystalreports.ReportHelper.passPOJO(ReportHelper.java:814)
at com.nordea.crystalreports.ReportHelper.changeDataSource(ReportHelper.java:124)
at com.nordea.crystalreports.ReportGenerator.generate(ReportGenerator.java:115)
at com.nordea.crystalreports.ReportGenerator.generate(ReportGenerator.java:62)
at com.nordea.omega.report.servlet.CrystalReportServlet.doGet(CrystalReportServlet.java:116)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiI have been able to wrestle this down after a lot of frustrating work. The error had nothing to do with pojos at all. The error was simple a store procedure that did not reply nothing.
In the preparation of the subreport that did consist of the pojo data source. The report(server?) did send a "pre call" to the store procedure with NULL as parameters. The reply was unfortunately an "empty" reply. When we changed the reply to an empty result set it went pass the data sources.
The error message given on this was "Invalid subreport name"! Not very helpful at all.
I have used this new version for about 3 weeks now in a "proof of concept" work controlling if we would be able to upgrade from crystal 9/Harmoni to Crystal 2008/Crystal Report Server 2008. The answer will be yes. It will work. And with a minimum of report changes which is very nice.
What have struck me the most during this work is a few proposals to improvements.
1. Put the versions on jars and sdk's so it's obvious what's used. I spent a few days with an old version of a sdk believing that it was a newer than I already had. It should not be neccessary to go through a manifest file inside a jar in order to find out what the version is. Put it on the file names!
2. Give proper error messages back when something goes wrong. If a parameter value is missing. Send back the parameter that's missed/misses a value for Gods sake. The programmer catching the error most know what's missed hence the message. Would save the user's of the API very much time.
I spent about 5 - 10 days trying to find out what was wrong with my sub report name (This thread). It had nothing to do with the subreport name. It had to do with missing data from a called store procedure!
3. The documentation can be a bit tricky to find. I saw that you have given away a eclipse plugin in order to gather the documentation inside the IDE. That's a good approach.
If the error messages will be enhanced and more accurate it's a pretty handy api to work with. And the handling of unmanaged reports is a wet dream compared to usage of the Harmoni API. That's a real nightmare. The server seems to be very stable and just runs.
I like this forum, fast replies when one is stuck is extremely helpful!
/Patrik -
SQL Injection & CF code Attacks
One thing I've noticed with sites using CF is that many, many
programmers do not take into account SQL Injection and CF Form/URL
variable attacks. I've seen SO many CF pages that blow up when the
input varies in the slightest, displaying CF error messages,
datasources, variable names, etc.
Seems not enough programmers use CFTRY/CFCATCH or even know
about it. I've seen where SQL table names and datasources were
being passed in a URL!! It's frightening
Interested in everyone's BEST PRACTICES to avoid these type
of attacks.
I'll start it off with a few I use:
Use CFTRY / CFCATCH.
ALWAYS set the maxlength value on form input text boxes and
make sure the value matches the corresponding column length in your
DB. If you do not, someone can enter a huge amount of data in the
field, causing your CF routine or DB to choke.
Scope all variables, URL, Form, etc.
Use numbers/integers whenever possible for URL variable
values.
Avoid using varchar as the data type in your stored
procedures for passed URL or Form variables. Use INT instead.
Validate user input using CF before passing to your SQL, etc.
queries. Test for allowed/disallowed characters, blanks, length of
input value, etc.
Use stored procedures whenever possible.
Don't make URL or Form variable names too descriptive. ex.
?m=100 is better than ?memberID=100In addition to the things listed above, you should never
expect the values sent from any form submission to be 100% as they
are coded. There are tons of programs out there that can be used to
intercept and alter the submitted data before it hits your server.
It is a slow process, but we are locking down any and all form
variables not just type="text" and textarea's.
If a user has the ability to alter submitted data, they can
change the values for all types of form fields (hidden, radio,
checkbox, select, button, etc...). A lot of our old code did not
take that into consideration and simply allowed the value entered
from a "predefind" (hard coded value) form type (radio, checkbox,
etc...) directly into the database without a check.
Another step is to turn off "Enable Robust Exception
Information" in the CF Administrator. This step will help in not
giving an attacker the complete SQL statement being used in your
code. Note: This is a recomended practice for all production CF
servers as it is, but it never hurts to say it. CFTRY/CFCATCH
blocks work as well to hid that info, but neither way will
prevent an attack.
You also can not rely on client side JavaScript for
validation.
CR -
Why are there no vendor provided signatures that detect SQL injection reconnaissance? I recently did an internal pen test and it reminded me again of this deficiency. I've been meaning to write my own for the longest time, but frankly...why should I need to? It is simply amazing to me that I can throw standard SQL injection tests at a web app and our network IDS is "blind" to them.
http://ha.ckers.org/sqlinjection/I agree in the sense that the SQL Signature set of ASA IPS is a bit poor. If it can help someone, I've wrote my oun signature in order to catch an attacker. It's working fine, and I think that is easy to modify.
signatures 60000 0
alert-severity medium
sig-fidelity-rating 75
sig-description
sig-name CHZ SQL Injection
sig-string-info CHZ SQL Injection
sig-comment SQL Injection written by CHZ
exit
engine string-tcp
event-action produce-alert|deny-packet-inline|reset-tcp-connection
regex-string ([Dd][Ee][Cc][Ll][Aa][Rr][Ee])\%20\@.\%20([Vv][Aa][Rr][Cc][Hh][Aa][Rr])(.*);([Ss][Ee][Tt])\%20\@.=([Cc][Aa][Ss][Tt])
service-ports #WEBPORTS
exit
alert-frequency
summary-mode summarize
exit
exit
status
enabled true
exit
specify-mars-category yes
mars-category DoS/WebServer
exit
exit
Best Regards
Chz
Maybe you are looking for
-
Failure in Precompilation of JSPs due to include file in WL6.1 SP2
Hi We are getting the following error when we try to do precompilation of JSPs using precompile param to true in weblogic.xml We are deploying our application as war files. eagerly waiting for your help
-
iTunes will not install on my computer (Windows 8) and i tried everything in "Issues installing iTunes or QuickTime for Windows" but nothing worked. any help?
-
A question of opening pdf file in browser
hi,i open a pdf in browser(such as Internet Explorer 7),the link like this:http://www.123.com/ex.pdf?zoom=45,i want to open this pdf in browser with 45%,but i found it was'nt effected, it open with 133%. how can i set make it open with 45%?thanks!
-
I got a pdf that would not convert to word so it took me hours to answer all the questions with sticky notes but when I went to option to email...I emailed but it is not being received...help
-
No adapters in adapter monitoring
no adapter in component monitoring only JPR is visible can some one help me the soulution we are using nw2004s PI7.0 SP10 thanks sri Message was edited by: sri rao Message was edited by: sri rao