SQL Injection with CF7 and MS SQL 2005

I looked through a bunch of SQL injection posts and couldn't
find a definitive answer to this...
Let me introduce this by saying that I know I should be using
CFQUERYPARAM with EVERY CF variable in a CFQUERY tag. No excuses.
But for a necessary quick fix, if I only use it for numeric
DB fields, is SQL injection still possible (using MS SQL 2005)?
I've yet to successfully perform SQL injection while manipulating a
variable surrounded by single quotes in the query.
Scenario 1) select * from users where user_id=#form.user_id#
...is a gimme to hack, but
Scenario 2) select * from users where
password='#form.password#' ...is another story
Has anyone ever heard of a successful SQL injection attack in
a Scenario 2 situation.
I'll fix everything up eventually, but I've got a Pen Test
coming up soon, and a lot of raw code to review.
Thanks

quote:
Originally posted by:
Dan Bracuk
What others can do is more relevent than what we think. When
in doubt, test.
very true, although my final solution went more like, "When
in doubt, manually add about 600 cfqueryparams in 406 cfquery
tags".

Similar Messages

Problem with provisioning and external SQL server connection

I am configuring IPAM 2012 R2 on a our management server. Completed the first step by enabling the feature. No issues.
Now I am on the Provisioning IPAM step. I get to the Configure Database step...
I choose Microsoft SQL server,
What should those values be in the Server name and Database name fields. Instructions show fqdn or ip address but that doesnt seem to be working for me.
I get the following error at the end of the Provisioning IPAM wizard,
IPAM Deployment failed with the following error.
Failed to connect to database server. Check the database name, connectivity and remote access.
A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections.
(provider: TCP Provider, error: 0 - No connection could be made because the target machine actively refused it.)
You can restart this provisioning wizard from the IPAM overview page.
From the management server I have tested the SQL Connection with a udl file. I used myServer\myInstance and it works. It reports that I have made the Connection to the server and database with the sql credentials i have provided.
Thanks

Ran
into a problem with connecting to the DB on the SQL server from the IPAM server. The Dba and I checked the target SQL instance was enabled TCP and listening on a valid TCP port. SQL server was set to use port 1443 for incoming connections.
IPAM was set by default to use 1433.
Also used
netstat-n to identify issue and verified 1443 on SQL server was
being used. Made the correction under the IPAM provisioning wizard and connected to the database. Fixed.
Important note I was able to connect to the database with a .udlfile
without any issues
Also note that 2012 R2 IPAM only supports 2012 SQL Enterprise. Why?

SQL query with JSP and WML-parameters

Hey,
Could you help me?
I'm trying to do the following. WML deck card 1 send parameter to same WML deck's card help. I try to read the parameter with JSP in card help by putting the parameter to SQL query, but it doesn't work. I can read the parameter with WML in card help. I can also print the value of the parameter with JSP if I generate WML with JSP.
/*parameter sending from card 1 to card help*/
out.println("<go href='#helpcard'>");
out.println("<setvar name='valittukurssi' value='$(valittukurssi)'/>");
/*parameter read with WML in card help */
Valitse kurssi.
$valittukurssi
/'parameter read with JSP by generating WML with JSP*/
out.println("$valittukurssi");
/* SQL query with JSP */
ResultSet uudettulokset = uusilause.executeQuery("select * from kurssi where lyhenne='$valittukurssi'");
Thanks,
Rampe

You're problem is easy to fix. You're confusing WML variables with JSP variables. See below:
>
/*parameter sending from card 1 to card help*/
out.println("<go href='#helpcard'>");
out.println("<setvar name='valittukurssi'
value='$(valittukurssi)'/>");
Above you set a var that will work on the phone, not in JSP.
/*parameter read with WML in card help */
Valitse kurssi.
$valittukurssi
Yes the above does display the parameter, because it is a client side WML var, but you cannot use this variable in the JSP code (that's why your SWL fails).
/'parameter read with JSP by generating WML with
JSP*/
out.println("$valittukurssi");Here's you're problem, the above line is EXACTLY the same as the one before it. When the container parses through this JSP code it translates the above line to:
$valittukurssi on the WML page and the CLIENT uses it's local variable to display it.
What you need and want is to have a variable that can be used in JSP code and output to your WML page. Here's how it's done:
out.println("<go href='#helpcard'>");
String some_name = "valittukurssi";
out.println("<setvar name='"+some_name+"'
value='$("+some_name+")'/>");
//note that you may have to escape the ( and ) with a \
//so we displayed the variable above into the WML page, now we can use it in the SQL query:
/* SQL query with JSP */
ResultSet uudettulokset =
uusilause.executeQuery("select * from kurssi where
lyhenne='"+some_name+"'");//the end of the command is: " ' " ) ;
Frank Krul
Got Node?

SQL Injection with Oracle Text

I did a search here for any posts about SQL Injection on Oracle Text indexes, but returned no hits.
Can anyone give their opinion about whether SQL Injection is a concern when using Oracle Text or what steps can be taken ahead of time to prevent (or at least reduce the attack surface) on Oracle Text queries.
We're running a web app. that will use Oracle Text and our users can enter any search string as well as select pre-defined items from a drop down box.
Thanks in advance for any opinions
LJ

quote:
Originally posted by:
Dan Bracuk
What others can do is more relevent than what we think. When
in doubt, test.
very true, although my final solution went more like, "When
in doubt, manually add about 600 cfqueryparams in 406 cfquery
tags".

Sql query with conditions and calculations???

Hi,
how I can build a query with conditions and calculations?
E.g. I've got this table
Start          | End     |     Working Place     |     Mandatory
01-JAN-13 | 11-JAN-13 |     Office           |          1
14-JAN-13 | 25-JAN-13 |     Home Office      |     0
04-MRZ-13| 15-MRZ-13 |     Office           |          0
11-FEB-13 | 22-FEB-13 |     Office           |          1
Now if column working place=Office and column mandatory=0
the new column "price" has to calculate: (End-Start)* $25.00
and if working place=Office and column mandatory=1
the "price" column has to calculate: (End-Start)* $20.60
else $0.00
I tried it with the case statement but I didn't know how
to calculate my values and display it to the virtual column "price".
Something like
case
when Working_Place = 'Office' and Mandatory=1
     then ...
else '0.00'
end as PRICE
Or is it not possible?
Edited by: DB2000 on 12.03.2013 05:09

Use CASE:
select start_dt,
        end_dt,
        working_place,
        mandatory,
        case
          when working_place = 'Office' and mandatory = 0 then (end_dt - start_dt) * 25
          when working_place = 'Office' and mandatory = 1 then (end_dt - start_dt) * 20.60
          else 0
        end price
from tbl
START_DT END_DT    WORKING_PLA MANDATORY      PRICE
01-JAN-13 11-JAN-13 Office               1        206
14-JAN-13 25-JAN-13 Home Office          0          0
04-MAR-13 15-MAR-13 Office               0        275
11-FEB-13 22-FEB-13 Office               1      226.6
SQL> SY.

SQL statement with LIMIT and total count?

Hello,
I would like to know if it is possible to execute a single SQL statement that will return me a subset of data (for pagination purposes) that not only includes the subset of data for the page but the count of all available data. Can this be done so as to not take up the cpu and time it takes to essentially run two queries? One to get the subset and one to get the count? I think simply doing a subselect is not going to give me what I want in that we actually query twice.
There may be no way to do this other than that, but I wanted to check with the gurus here first. :)
Thanks,
Mark

select *
from (
select i.*,
row_number() over(order by i) rn, -- used for
pagination
count(*) over(partition by 1) cnt -- total count
of rows found for this search
from mytable
where < PUT ALL LIMITING (i.e., "search") CONDITIONS
HERE >
where rn between 41 and 50 -- pagination clauseNice one
BUT of course it adds additional row in execution plan and takes additional time and CPU :)
I assume that it directly depends of course on returned result set and some other factors like available sort space but a simple test case on a table big which actually is 1.6 M rows like dba_source got following results:
here is the first one returning also count(*)
SQL> select *
2 from (
3 select i.*,
4 row_number() over(order by owner, name, type) rn
5 , -- used for pagination
6 count(*) over(partition by 1) cnt -- total count of rows found for this search
7 from big i
8 where owner like 'S%' and name like '%A%'
9 )
10 where rn between 41 and 45
11 /
OWNER NAME TYPE
 LINE
TEXT
 RN CNT
SYS ANYDATA TYPE
 13
STATIC FUNCTION ConvertVarchar(c IN VARCHAR) return AnyData,
 41 999744
SYS ANYDATA TYPE
 11
STATIC FUNCTION ConvertDate(dat IN DATE) return AnyData,
 42 999744
SYS ANYDATA TYPE
 9
 43 999744
SYS ANYDATA TYPE
 7
 They serve as explicit CAST functions from any type in the Oracle ORDBMS
 44 999744
SYS ANYDATA TYPE
 6
 enable construction of the AnyData in its entirity with a single call.
 45 999744
Elapsed: 00:00:41.02
SQL> ed
Wrote file afiedt.buf
1 select n.name, m.value from v$statname n, v$mystat m
2 where n.statistic# = m.statistic#
3* and (upper(name) like '%SORT%' or upper(name) like '%TEMP%')
SQL> /
NAME VALUE
physical reads direct temporary tablespace 35446
physical writes direct temporary tablespace 17723
RowCR attempts 0
SMON posted for dropping temp segment 0
sorts (memory) 36
sorts (disk) 1
sorts (rows) 1999596
OTC commit optimization attempts 0
8 rows selected.here is the second one returning only rows:
SQL> ed
Wrote file afiedt.buf
1 select *
2 from (
3 select i.*,
4 row_number() over(order by owner, name, type) rn
5 --, -- used for pagination
6 -- count(*) over(partition by 1) cnt -- total count of rows found for this search
7 from big i
8 where owner like 'S%' and name like '%A%'
9 )
10* where rn between 41 and 45
SQL> /
OWNER NAME TYPE
 LINE
TEXT
 RN
SYS ANYDATA TYPE
 13
STATIC FUNCTION ConvertVarchar(c IN VARCHAR) return AnyData,
 41
SYS ANYDATA TYPE
 11
STATIC FUNCTION ConvertDate(dat IN DATE) return AnyData,
 42
SYS ANYDATA TYPE
 9
 43
SYS ANYDATA TYPE
 7
 They serve as explicit CAST functions from any type in the Oracle ORDBMS
 44
SYS ANYDATA TYPE
 6
 enable construction of the AnyData in its entirity with a single call.
 45
Elapsed: 00:00:12.09
SQL> select n.name, m.value from v$statname n, v$mystat m
2 where n.statistic# = m.statistic#
3 and (upper(name) like '%SORT%' or upper(name) like '%TEMP%')
4 /
NAME VALUE
physical reads direct temporary tablespace 0
physical writes direct temporary tablespace 0
RowCR attempts 0
SMON posted for dropping temp segment 0
sorts (memory) 10
sorts (disk) 0
sorts (rows) 999812
OTC commit optimization attempts 0
8 rows selected.So execution time 41 sec vs 12 sec
sorts (rows) 1 999 596 vs 999 812
physical reads/writes direct temporary tablespace 35446/17723 vs 0/0
I assume that for a small overall returned row count it probably is OK, but for less restrictive search it can be quite deadly as before with two queries.
Gints Plivna
http://www.gplivna.eu

CF 11: Configuration a datasources to MS SQL Backend with encryption enforced by SQL Server

Hello List;
I have the following problem: Configuration a datasources to MS SQL Backend with option encryption enforced (by SQL Server).
I goggled in the internet for the configuration of the datasource and find multiple articles/advices:
Configuration a datasource type other with jtds.jdbc.Driver and manual configuration of the connection string:
1. Downloading the driver and copy to the cfusion/lib directory: Done, the driver was recognized by coldfusion after a restart of the service.
2. Copying the ntlmauth.dll to the bin directory of jre/bin: Done
3. Configuration of the jdbc URL: jdbc:jtds:sqlserver://xxxx.xxx.xxx.net:1433/db: Works, I don’t get a connection timeout
4. User and PW: Works: I don’T get a login failure.
5. Advanced settings: Connection String: Maybe here is something wrong: EncryptionMethod=SSL; TrustStore=Path\sqlstore.jks; TrustStorePassword=xxx; ValidateServerCertificate=true; HostNameInCertificate=xxx.xxx.xxx.net;
Error Message (Coldfusion logs/stack trace): I/O Error: DB server closed connection. SQLException while attempting to connect: java.sql.SQLException: I/O Error: DB server closed connection..
Has anybody experiences with this topic/can give me advices/send me screenshots.
frank

Hi Stephen;
we tried: add EncryptionMethod=SSL; ValidateServerCertificate=false; to the connection string;
And it doesn't work.. Are you sure, that you have enabled encryption enforced in your SQL-Server Settings.
Oherwise the connection works, but the Connection is not encrypted:
Coldfusion lies!
You can controll this by veryfining the open connections on the sqlserver with the query:
SELECT net_transport, protocol_type, encrypt_option ,auth_scheme, program_name FROM sys.dm_exec_connections AS c JOIN sys.dm_exec_sessions AS s ON c.session_id = s.session_id cross apply sys.dm_exec_sql_text(most_recent_sql_handle) AS d
There you can see the jtds Connectionand the (programname) and the encryt_option (must be true).
frank

Data to sql server using labview and labview sql toolkit

Hello everyone,
I am using mssqlserver 7.0, labview 6.1 and labview sql toolkit.
I am getting error while i try to store (large) data of size more than 4000bytes. Has anyone come accross such problem .
Looking for your solutions or suggestion for the
above said problem.

Check if the threshold is actual 4095 or 4096.
If so it is probably a default size of the field you are trying to write. If so, change table properties.
Ben
Ben Rayner
I am currently active on.. MainStream Preppers
Rayner's Ridge is under construction

How to return xmlType from Webservice generated with JDev and PL/SQL

Hi,
I have generated an PL/SQL package that's returning a value as xmlType.
With JDeveloper I'm deploying this package as a webservice. When invoking the webservice from a webbrowser the result looks like:
<?xml version="1.0" encoding="UTF-8" ?>
<SOAP-ENV:Envelope
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<SOAP-ENV:Body>
<ns1:testXmltypeResponse
xmlns:ns1="http://app/webservice.wsdl"
SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<return xsi:type="xsd:string">
<ROWSET>
<ROW>
<TODAY>12-OCT-07</TODAY>
</ROW>
</ROWSET>
</return>
</ns1:testXmltypeResponse>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
The problem is that the <return> tag contains 'xsi:type="xsd:string"'. And now the webservice response is not valid XML because the return value contains XML and not a string.
The solution would be, when invoking the webservice if the xsi:type would be missing from the result tag or would contains xsd:any. I tried editing the WSDL in JDeveloper and changing the type to xsd:any. After deploying and calling the WSDL from the webbrowser it contains this type. But when invoking the method from the webbrowser it still returns xsd:string as type.
How can I get rid of this type in the <return> or change it.
My JDeveloper version is 10.1.3.3.0 The Oracle database and 9iAS are 10.2.
Thanks in advance,
Thijs

What version are you on?
Works fine for me on my 11g:
SQL> create or replace procedure testxml (clob_out out clob)
2 is
3 l_clob clob;
4 l_ctx dbms_xmlquery.ctxhandle;
5 begin
6 l_ctx := dbms_xmlquery.newcontext ('select * from dual');
7 l_clob := dbms_xmlquery.getxml (l_ctx);
8 clob_out := l_clob;
9 dbms_xmlquery.closecontext (l_ctx);
10 end testxml;
11 /
Procedure created.
SQL>
SQL> variable vout clob;
SQL>
SQL> exec testxml (:vout)
PL/SQL procedure successfully completed.
SQL>
SQL> print vout
VOUT
<?xml version = '1.0'?>
<ROWSET>
 <ROW num="1">
 <DUMMY>X</DUMMY>
 </ROW>
</ROWSET>But definitely you can optimize your proc a bit: Try
create or replace procedure testxml (clob_out in out nocopy clob)
is
 l_ctx dbms_xmlquery.ctxhandle;
begin
 l_ctx := dbms_xmlquery.newcontext ('select * from dual');
 clob_out := dbms_xmlquery.getxml (l_ctx);
 dbms_xmlquery.closecontext (l_ctx);
end testxml;
/

Tuning SQL query with SDO and Contains?

I'trying to optimize a query
with a sdo_filter and an intermedia_contains
on a 3.000.000 records table,
the query look like this
SELECT COUNT(*) FROM professionnel WHERE mdsys.sdo_filter(professionnel.coor_cart,mdsys.sdo_geometry(2003, null, null,mdsys.sdo_elem_info_array(1,1003,4),mdsys.sdo_ordinate_array(809990,2087279,778784,2087279,794387,2102882)),'querytype=window') = 'TRUE' AND professionnel.code_rubr ='12 3 30' AND CONTAINS(professionnel.Ctx,'PLOMBERIE within Nom and ( RUE within Adresse1 )',1)>0
and it takes 15s on a bi 750 pentium III with
1.5Go of memory running under 8.1.6 linux.
What can i do to improve this query time?
null

Hi Vincent,
We have patches for Oracle 8.1.6 Spatial
on NT and Solaris.
These patches include bug fixes and
performance enhancements.
We are in the process of making these patches
avaialble in a permanent place, but until then, I will temporarily put the patches on:
ftp://oracle-ftp.oracle.com/
Log in as anonymous and use your email for
password.
The patches are in /tmp/outgoing in:
NT816-000706.zip - NT patch
libordsdo.tar - Solaris patch
I recommend doing some analysis on
individual pieces of the query.
i.e. time the following:
1)
SELECT COUNT(*)
FROM professionnel
WHERE mdsys.sdo_filter(
professionnel.coor_cart,
mdsys.sdo_geometry(
2003, null, null,
mdsys.sdo_elem_info_array(1,1003,4),
mdsys.sdo_ordinate_array(
809990,2087279,
778784,2087279,
794387,2102882)),
'querytype=window') = 'TRUE';
2)
SELECT COUNT(*)
FROM professionnel
WHERE CONTAINS(professionnel.Ctx,
'PLOMBERIE within Nom and ( RUE within Adresse1)',1) >0;
You might want to try reorganizing the entire
query as follows (no promises).
If you contact me directly, I can try to
help to further tune the SQL.
Hope this helps. Thanks.
Dan
select count(*)
FROM
(SELECT /*+ no_merge */ rowid
FROM professionnel
WHERE mdsys.sdo_filter(
professionnel.coor_cart,
mdsys.sdo_geometry(
2003, null, null,
mdsys.sdo_elem_info_array(1,1003,4),
mdsys.sdo_ordinate_array(809990,2087279,
778784,2087279,
794387,2102882)),
'querytype=window') = 'TRUE'
) a,
(SELECT /*+ no_merge */ rowid
FROM professionnel
WHERE CONTAINS(professionnel.Ctx,
'PLOMBERIE within Nom and
( RUE within Adresse1)',1) >0
) b
where a.rowid = b.rowid
and professionnel.code_rubr ='12 3 30';
**NOTE** Try this with no index on code_rubr
null

ORA-06502: PL/SQL error with dimensions and roles

Hi everyone,
When executing a mapping that loads a cube we are always getting that ORA-06502: PL/SQL error character string buffer too small
The cube contains a number of dimensions, some of them with roles. We've checked that the error appears when we use two different lookup operators to fill dimension atributtes in the cube and its correspondent role. If we map dimension attributes with lookup operator, and the role attributes with constants, the mapping executes without any error. Moreover, even thought it doesnt make any sense, if we map the role dimension attributes with a lookup operator linked to a different dimension, it works too.
We think that this could be due to attributes names, maybe they are too long, but we have tried to make them shorter and still getting the same error.
Any ideas of what could be happening?
Thank you so much in advance.

The return datatype in a PLSQL function is unconstrained. Which means it does not have a size.
The size is declared on the receiving end.
What size variable are you trying to return your value into?
Here is an example...
SQL>create or replace function my_func
2 return varchar2
3 is
4 begin
5    return USER;
6 end;
7 /
Function created.
SQL>declare
2    my_string varchar2(30);
3 begin
4    my_string := my_func;
5 end;
6 /
PL/SQL procedure successfully completed.
SQL>declare
2    my_string varchar2(3);
3 begin
4    my_string := my_func;
5 end;
6 /
declare
ERROR at line 1:
ORA-06502: PL/SQL: numeric or value error: character string buffer too small
ORA-06512: at line 4

SQL Optimization with join and in subselect

Hello,
I am having problems finding a way to optimize a query that has a join from a fact table to several dimension tables (star schema) and a constraint defined as an in (select ....). I am hoping that this constraint will filter the fact table then perform the joins but I am seeing just the opposite with the optimizer joining first and then filtering at the very end. I am using the cost optimizer and saw that it does in subselects last in the predicate order. I tried the push_subq hint with no success.
Does anyone have any other suggestions?
Thanks in advance,
David
example sql:
select ....
from fact, dim1, dim2, .... dim <n>
where
fact.dim1_fk in ( select pf from dim1 where code = '10' )
and fact.dim1_fk = dim1.pk
and fact.dim2_fk = dim2.pk
and fact.dim<n>_fk = dim<n>.pk

The original query probably shouldn't use the IN clause because in this example it is not necessary. There is no limit on the values returned if a sub-select is used, the limit is only an issue with hard coded literals like
.. in (1, 2, 3, 4 ...)Something like this is okay even in 8.1.7
SQL> select count(*) from all_objects
2 where object_id in
3 (select object_id from all_objects);
COUNT(*)
32378The IN clause has its uses and performs better than EXISTS in some conditions. Blanket statements to avoid IN and use EXISTS instead are just nonsense.
Martin

Learning SQL Query with JCheckBox and JButton

Hello,
I am learning how to access a very simple Access table. I am able to connect to the database and return a simple query. As I make it more complicated is where I have confused myself. The program is suppose to allow the user to pick any field they want to query using JCheckBox. After they have checked the fields off, the run query button is hit and outputs the results in a JOPtion Pane with a JTable. I am trying to do a test run and I can't make the query at least output something. If I can get any clues to the right direction would be appreciated. Thanks.
package mypackage25;
import java.sql.*;
import javax.swing.*;
import java.awt.*;
import java.awt.event.*;
public class QueryAddressBook extends JFrame
    private JLabel selectQueryLabel;
    private JCheckBox firstName, lastName,
                   telephone, addressI, addressII, city,
                   state, zip;
    private JPanel selectQueryPanel, checkBoxPanel, executePanel;
    private JButton runQueryButton, clearSQLButton;
    private Connection connection;
    private Statement statement;
    private ResultSet resultSet;
    public QueryAddressBook()
      super("Query an Address Book");
      //Driver and Connection
      try
      //Driver for MicrosoftAccess
      Class.forName("sun.jdbc.odbc.JdbcOdbcDriver");
      //Inform the user that the Driver was loaded successfully
      System.out.println("Driver Loaded");
      //Connect to specific database(i.e. MyAddress3) in Access
      Connection connection=DriverManager.getConnection("jdbc:odbc:MyAddress3");
      //Inform User
      System.out.println("Database connected");
      }//end try
      catch(ClassNotFoundException cnfe)
        cnfe.printStackTrace();
      }//end catch
      catch(SQLException sqle)
        sqle.printStackTrace();
      }//end catch
      //get content pane and set its layout
      Container container=getContentPane();
      container.setLayout(new BorderLayout());
      //GUI Components
      selectQueryLabel=new JLabel("Select Fields to be Queried");
      firstName=new JCheckBox("First Name");
      lastName=new JCheckBox("Last Name");
      telephone=new JCheckBox("Telephone");
      addressI=new JCheckBox("Address I");
      addressII=new JCheckBox("Address II");
      city=new JCheckBox("City");
      state=new JCheckBox("State");
      zip=new JCheckBox("Zipcode");
      //register listeners for JCheckBoxes
      CheckBoxHandler handler=new CheckBoxHandler();
      firstName.addItemListener(handler);
      lastName.addItemListener(handler);
      telephone.addItemListener(handler);
      addressI.addItemListener(handler);
      addressII.addItemListener(handler);
      city.addItemListener(handler);
      state.addItemListener(handler);
      zip.addItemListener(handler);
      //set up selectQueryPanel
      selectQueryPanel=new JPanel();
      selectQueryPanel.setLayout(new FlowLayout());
      selectQueryPanel.add(selectQueryLabel);
      //set up CheckBox Panel
      checkBoxPanel=new JPanel();
      checkBoxPanel.setLayout(new FlowLayout());
      checkBoxPanel.add(firstName);
      checkBoxPanel.add(lastName);
      checkBoxPanel.add(telephone);
      checkBoxPanel.add(addressI);
      checkBoxPanel.add(addressII);
      checkBoxPanel.add(city);
      checkBoxPanel.add(state);
      checkBoxPanel.add(zip);
      //set up execute panel
      executePanel=new JPanel();
      executePanel.setLayout(new FlowLayout());
      //set up buttons
      runQueryButton=new JButton("Run Query");
      clearSQLButton=new JButton("Clear SQL");
      runQueryButton.addActionListener
        new ActionListener()
          public void actionPerformed(ActionEvent event)
            if(event.getSource().equals(runQueryButton))
              runSQLQuery();
      executePanel.add(runQueryButton);
      executePanel.add(clearSQLButton);
      container.add(selectQueryPanel, BorderLayout.NORTH);
      container.add(checkBoxPanel, BorderLayout.CENTER);
      container.add(executePanel, BorderLayout.SOUTH);
      setSize(800,150);
      setVisible(true);
    public static void main(String args[])
      QueryAddressBook dwgui=new QueryAddressBook();
      dwgui.setDefaultCloseOperation(JFrame.EXIT_ON_CLOSE);
    }//end main
    //private inner class for ItemListener event handling
    private class CheckBoxHandler implements ItemListener
      public void itemStateChanged(ItemEvent event)
      }//end method itemStateChanged
    }//end private inner class CheckBoxHandler
    private void runSQLQuery()
      String output="";
      try
        statement=connection.createStatement();
        resultSet=statement.executeQuery("select firstName from address");
        while(resultSet.next())
          output+=resultSet.getString(1)+"\n";
        JOptionPane.showMessageDialog(null,output);
        System.out.println(output);
      }//end try
      catch(SQLException sqle)
        sqle.printStackTrace();
      }//end catch
    }//end runSQLQuery
}//end class

At present your query string is
"Select firstName from Address"
Instead of using the above hardcoded string, try to build the
query String using logic that checks which check boxes are selected
by the user.
Example..
String query = "SELECT ";
if (firstName.isSelected()) {
query = query + " firstName";
Be sure, you add the comma properly between two fields :-)

Operating System Calls from APEX with Java and PL/SQL

Question about operating system calls from apex.
I created a java file which is wrapped with pl/sql like
create or replace java source named "ExternalCall" as
import java.io.*;
I do the steps from this web page http://www.oracle.com/global/de/community/tipps/oscalls/index.html
The page is in german, but for experienced users the code on this page says everything.
In apex i have an application which calls this function with the "move" command in a sql-report region.
Let's say move c:\work1\file.txt c:\work2\file.txt
Everything works fine on one host(pc) but if i want to transfer the file from my host to another one then
i get the messgage "no access" although i have read, write access on the other host.
By the way, on both hosts i have admin rights.
Why can't i transfer the file over a network ?
Thanks in advance for any kind of help.
Regards
Stefan

I guess you are working on a Windows host. In this case Oracle processes are running as Windows services with a build-in MS system account. This account has no access to network ressources. You have two ways to get out of your windows box:
Assign Oracle services a network enabled account, e.g. domain user with local administrator privileges. (I never tried this and I don't like to recommend it.)
Use a command script for copying files and use explicite authentication within this script:-
net use \\myserver\ipc$ tiger /user:scott
copy c:\temp\xxx1 \\myserver\share\temp
copy c:\temp\xxx2 \\myserver\share\temp
Michael

Access Code - DELETE Statement with DISTINCTROW and T-SQL

All,
I'm trying to rewrite Access Code to T-SQL Code. I understand how DISTINCTROW works in a SELECT statement but I'm not sure of the same in a DELETE statement.
Any ideas?
DELETE DISTINCTROW Order_detail.*
FROM Order_Master
INNER JOIN Order_detail
ON (Order_Master.OrderID = Order_detail.OrderID)
AND (Order_Master.OrderPartID = Order_detail.OrderPartID)
Thanks,
MS

Could we use this syntax to delete records of two tables in same query ?
DELETE DISTINCTROW TableA.*, TableB.* FROM
TableA INNER JOIN TableB ON TableA.Name = TableB.Name
No. You can delete only one table at a time.
If you are using SQL Server 2012, you can try Merge:
create table a (id int, name varchar(10))
insert into a values (1,'aName'), (2,'ABCName'), (3,'BBBName')
create table b(id int, name varchar(10))
insert into b values (1,'bName'), (2,'ABCName'), (3,'BBBName')
declare @t table ( name varchar(10))
Merge a as tgt
using b as src On tgt.name =src.name
When matched then
Delete
Output deleted.name into @t;
delete from b Where name in (select name from @t)
Select * from a
select * from b
drop table a,b

SQL Injection with CF7 and MS SQL 2005

Similar Messages

Maybe you are looking for