SQL Injection with Oracle Text
I did a search here for any posts about SQL Injection on Oracle Text indexes, but returned no hits.
Can anyone give their opinion about whether SQL Injection is a concern when using Oracle Text or what steps can be taken ahead of time to prevent (or at least reduce the attack surface) on Oracle Text queries.
We're running a web app. that will use Oracle Text and our users can enter any search string as well as select pre-defined items from a drop down box.
Thanks in advance for any opinions
LJ
quote:
Originally posted by:
Dan Bracuk
What others can do is more relevent than what we think. When
in doubt, test.
very true, although my final solution went more like, "When
in doubt, manually add about 600 cfqueryparams in 406 cfquery
tags".
Similar Messages
-
Problem with oracle text indexes during import
We have a 9.2.0.6 database using oracle text features on a server with windows 2000 5.00.2195 SP4.
We need to export its data ( user ARIANE only ) and then import the result into another 9.2.0.6 database.
The import never comes to an end.
The only way to make it work is to use the "indexes=n" clause.
Then ( without the indexes ), we tried to create manually the oracle text indexes.
We get this error :
CREATE INDEX ARIANE.DOSTEXTE_DTTEXTE_CTXIDX ON ARIANE.DOSTEXTE (DTTEXTE)
INDEXTYPE IS CTXSYS.CONTEXT PARAMETERS('lexer ariane_lexer stoplist ctxsys.default_stoplist storage ariane_storage');
ORA-29855: erreur d'exécution de la routine ODCIINDEXCREATE
ORA-20000: Erreur Oracle Text :
DRG-10700: préférence inexistante : ariane_lexer
ORA-06512: à "CTXSYS.DRUE", ligne 157
ORA-06512: à "CTXSYS.TEXTINDEXMETHODS", ligne 219
We then tried to uninstall Oracle text and install it ( My Oracle Support [ID 275689.1] ). The index creation above still fails.
We also checked our Text installation and setup through My Oracle Support FAQ ( ID 153264.1 ) and everything seems ok.
Do we have to create some ARIANE* lexer preferences through specific pl/sql ( ctx_report* ? ) before importing anything from the ARIANE user ?
What do we need to do exactly when exporting data with oracle text features from one database to another given we used to restore the database through a copy of the entire windows files ?
Is there a specific order to follow to succeed an import ?
Thank you for your help.
Jean-michel, Nemours, FRANCEHi
index preferences are not exported, ie ariane_lexer + ariane_storage, only the Text index metada, thus the DRG-10700 from index DDL on target/import DB.
I recommend to use ctx_report.create_index_script on source/export DB, see Doc ID 189819.1 for details, export with indexes=N and then create text indexes manually after data import.
-Edwin -
How to get exact match when working with Oracle Text?
Hi,
I'm running Oracle9i Database R2.
I would like to know how do I get exact match when working with Oracle Text.
DROP TABLE T_TEST_1;
CREATE TABLE T_TEST_1 (text VARCHAR2(30));
INSERT INTO T_TEST_1 VALUES('Management');
INSERT INTO T_TEST_1 VALUES('Busines Management Practice');
INSERT INTO T_TEST_1 VALUES('Human Resource Management');
COMMIT;
DROP INDEX T_TEST_1;
CREATE INDEX T_TEST_1_IDX ON T_TEST_1(text) INDEXTYPE IS CTXSYS.CONTEXT;
SELECT * FROM T_TEST_1 WHERE CONTAINS(text, 'Management')>0;
The above query will return 3 rows. How do I make Oracle Text to return me only the first row - which is exact match because sometimes my users need to look for exact match term.
Please advise.
Regards,
Jap.But I would like to utilize the Oracle Text index. Don't know your db version, but if you slightly redefine your index you can achieve this (at least on my 11g instance) :
SQL> create table t_test_1 (text varchar2(30))
2 /
Table created.
SQL> insert into t_test_1 values ('Management')
2 /
1 row created.
SQL> insert into t_test_1 values ('Busines Management Practice')
2 /
1 row created.
SQL> insert into t_test_1 values ('Human Resource Management')
2 /
1 row created.
SQL>
SQL> create index t_test_1_idx on t_test_1(text) indextype is ctxsys.context filter by text
2 /
Index created.
SQL> set autotrace on explain
SQL>
SQL> select text, score (1)
2 from t_test_1
3 where contains (text, 'Management and sdata(text="Management")', 1) > 0
4 /
TEXT SCORE(1)
Management 3
Execution Plan
Plan hash value: 4163886076
| Id | Operation | Name | Rows | Bytes | Cost (%CPU)| Time |
| 0 | SELECT STATEMENT | | 1 | 29 | 4 (0)| 00:00:01 |
| 1 | TABLE ACCESS BY INDEX ROWID| T_TEST_1 | 1 | 29 | 4 (0)| 00:00:01 |
|* 2 | DOMAIN INDEX | T_TEST_1_IDX | | | 4 (0)| 00:00:01 |
Predicate Information (identified by operation id):
2 - access("CTXSYS"."CONTAINS"("TEXT",'Management and
sdata(text="Management")',1)>0)
Note
- dynamic sampling used for this statementJust read that you indeed mentioned your db version in your first post.
Not sure though if above method is already available in 9i ...
Message was edited by:
michaels -
How to define the tab space in the PL/SQL editor with Oracle Forms 4.5?
When I use the PL/SQL editor with Oracle Form Builder, I found the tab space is very long that affects my programs readability quite a lot. Then, I tried to use Textpad to type my program. It looks fine with Textpad. However, when i tried to 'cut and paste' my code back to the PL/SQL editor, all tab spaces (approx. 8-character) are detected and the program looks awful again ~~ Would any one help me to solve my mentioned problem?
Thanks for any advices!In 4.5 you cannot change this. In Forms 5.0 and above there is a registry value DE_PREFS_TABSIZE which allows you to set a value for the tabsize.
-
Using psp with oracle text.
we are design a simple document management application using psp with oracle text.
we can query on index and finding the record and display the result on browser page.
but we can't take document link on the same browser page. So we can't take document itself.
We are using Oracle database release 1 text
Thanks for your help.Sorry. The correct one is http://otn.oracle.com/docs/products/oracle9i/doc_library/release2/text.920/a96517/acase.htm#620714
-
Can't use ";" in sql clause with Oracle 8.X
Can't use ";" in sql clause with Oracle 8.X
I can't use ";" at the ending of sql clause in VB program. First this program can use with Oracle 7.3.4 database. But now i need to upgrade DB to Oracle 8.1.7 ,program can't operate. It show error Runtime 40002
and 37000:ODBC driver for oracle/invalid charactor
ThankyouI've seen a lot of discussion about semicolons in SQL
sent from 3rd party applications. A web search should
bring up the discussions.
Also you might get more response if you ask this question
somewhere else. This is not a VB forum, so you may
not reach relevant people.
-- CJ -
Huge Databases to be indexed with Oracle Text?
Is there anybody with experience with Oracle Databases with several TB and an fulltext index with Oracle Text? Are there any success stories by oracle?
Oracle Text, data load by partitation, async refresh index.
Hi Gurus,
Here I got a question,
Serniro:
A table with 2 partitions, text index created.
When I load data into 1st partition, performance good.
Sync partion text index, performance good.
Then I load data into 2nd partition, it's so slow.
My question is,
How to disable/offline 2nd partition text index?
Sync it after I loaded 2nd partition data. -
XML SQL Utility with Oracle 8.0.5
hi,
Is it possible to use XML SQL Utility with Oracle 8.0.5.
Thanks,
-Mourad
nullYes. You need to use the Oracle8i 8.1.6 JDBC driver with XSU, but it can connect to an 8.0.5 instance.
-
Performance issue with Oracle Text index
Hi Experts,
We are on Oracle 11.2..0.3 on Solaris 10. I have implemented Oracle Text in our environment and I am facing a strange performance issue that is happening in our environment.
One sql having CONTAINS clause is taking forever - more than 20 minutes and still does not complete. This sql has a contains clause and an exists clause and a not exists clause.
Now if I remove the exists clause and a not exists clause , it completes fast. but with those two clauses it is just taking forever. It is late night so i am not able to post the table and sql query details and will do so tomorrow but based on this general description, are there any pointers for me to review?
sql query doing fine:
SELECT
U.CLNT_OID, U.USR_OID, S.MAILADDR
FROM
access_usr U
INNER JOIN access_sia S
ON S.USR_OID = U.USR_OID AND S.CLNT_OID = U.CLNT_OID
WHERE U.CLNT_OID = 'ABCX32S'
AND CONTAINS(LAST_NAME , 'TO%' ) >0
--sql query that hangs forever:
SELECT
U.CLNT_OID, U.USR_OID, S.MAILADDR
FROM
access_usr U
INNER JOIN access_sia S
ON S.USR_OID = U.USR_OID AND S.CLNT_OID = U.CLNT_OID
WHERE U.CLNT_OID = 'ABCX32S'
AND CONTAINS(LAST_NAME , 'TO%' ) >0
and exists (--one clause here wiht a few table joins)
and not exists (--one clause here wiht a few table joins);
--Now another strange thing I found is if instead of 'TO%' in this sql, if I were to use 'ZZ%' or 'L1%' it works fast but for 'TO%' it goes slow with those two exists not exists clauses!
I will be most thankful for the inputs.
OrauserNHi Barbara,
First of all, thanks a lot for reviewing the issue.
Unluckily making the change to empty_stoplist did not work out. I am today copying the entire sql here that has this issue and will be most thankful for more insights/pointers on what can be done.
Here is the entire sql:
SELECT U.CLNT_OID,
U.USR_OID,
S.EMAILADDRESS,
U.FIRST_NAME,
U.LAST_NAME,
S.JOBCODE,
S.LOCATION,
S.DEPARTMENT,
S.ASSOCIATEID,
S.ENTERPRISECOMPANYCODE,
S.EMPLOYEEID,
S.PAYGROUP,
S.PRODUCTLOCALE
FROM ACCESS_USR U
INNER JOIN
ACCESS_SIA S
ON S.USR_OID = U.USR_OID AND S.CLNT_OID = U.CLNT_OID
WHERE U.CLNT_OID = 'G39NY3D25942TXDA'
AND EXISTS
(SELECT 1
FROM ACCESS_USR_GROUP_XREF UGX
INNER JOIN ACCESS_GROUP RELG
ON RELG.CLNT_OID = UGX.CLNT_OID
AND RELG.GROUP_OID = UGX.GROUP_OID
INNER JOIN ACCESS_GROUP G
ON G.CLNT_OID = RELG.CLNT_OID
AND G.GROUP_TYPE_OID = RELG.GROUP_TYPE_OID
WHERE UGX.CLNT_OID = U.CLNT_OID
AND UGX.USR_OID = U.USR_OID
AND G.GROUP_OID = 920512943
AND UGX.INCLUDED = 1)
AND NOT EXISTS
(SELECT 1
FROM ACCESS_USR_GROUP_XREF UGX
INNER JOIN
ACCESS_GROUP G
ON G.CLNT_OID = UGX.CLNT_OID
AND G.GROUP_OID = UGX.GROUP_OID
WHERE UGX.CLNT_OID = U.CLNT_OID
AND UGX.USR_OID = U.USR_OID
AND G.GROUP_OID = 920512943
AND UGX.INCLUDED = 1)
AND CONTAINS (U.LAST_NAME, 'Bon%') > 0;
Like I said before if the EXISTS and NOT EXISTS clause are removed it works in sub-second. But with those EXISTS and NOT EXISTS CLAUSE IT TAKES ANY WHERE FROM 25 minutes to more than one hour.
NOte also that it was not TO% but Bon% in the CONTAINS clause that is giving the issue - sorry that was wrong on my part.
Also please see below the ORACLE TEXT index defined on the table ACCESS_USER:
--definition of preferences used in the index:
SET SERVEROUTPUT ON size unlimited
WHENEVER SQLERROR EXIT SQL.SQLCODE
DECLARE
v_err VARCHAR2 (1000);
v_sqlcode NUMBER;
v_count NUMBER;
BEGIN
ctxsys.ctx_ddl.create_preference ('cust_lexer', 'BASIC_LEXER');
ctxsys.ctx_ddl.set_attribute ('cust_lexer', 'base_letter', 'YES'); -- removes diacritics
EXCEPTION
WHEN OTHERS
THEN
v_err := SQLERRM;
v_sqlcode := SQLCODE;
v_count := INSTR (v_err, 'DRG-10701');
IF v_count > 0
THEN
DBMS_OUTPUT.put_line (
'The required preference named CUST_LEXER with BASIC LEXER is already set up');
ELSE
RAISE;
END IF;
END;
DECLARE
v_err VARCHAR2 (1000);
v_sqlcode NUMBER;
v_count NUMBER;
BEGIN
ctxsys.ctx_ddl.create_preference ('cust_wl', 'BASIC_WORDLIST');
ctxsys.ctx_ddl.set_attribute ('cust_wl', 'SUBSTRING_INDEX', 'true'); -- to improve performance
EXCEPTION
WHEN OTHERS
THEN
v_err := SQLERRM;
v_sqlcode := SQLCODE;
v_count := INSTR (v_err, 'DRG-10701');
IF v_count > 0
THEN
DBMS_OUTPUT.put_line (
'The required preference named CUST_WL with BASIC WORDLIST is already set up');
ELSE
RAISE;
END IF;
END;
--now below is the code of the index:
CREATE INDEX ACCESS_USR_IDX3 ON ACCESS_USR
(FIRST_NAME)
INDEXTYPE IS CTXSYS.CONTEXT
PARAMETERS('LEXER cust_lexer WORDLIST cust_wl SYNC (ON COMMIT)');
CREATE INDEX ACCESS_USR_IDX4 ON ACCESS_USR
(LAST_NAME)
INDEXTYPE IS CTXSYS.CONTEXT
PARAMETERS('LEXER cust_lexer WORDLIST cust_wl SYNC (ON COMMIT)');
The strange thing is that, like I said, If I remove the exists clause the query returns very fast. Also if I modify the query to use only one NOT EXISTS clause and remove the other EXISTS clause it returns in less than one second. Also if I remove the EXISTS clause and use only the NOT EXISTS clause it returns in less than 4 seconds. But with both clauses it runs forever!
When I tried to get dbms_xplan.display_cursor to get the query plan (for the case of both exists and not exists clause in the query), it said that previous statement's sql id was 0 or something like that so that I was not able to see the query plan. I will keep trying to get this plan (it takes 25 minutes to one hour each time but will get this info soon). Again any pointers are most helpful.
Regards
OrauserN -
Help needed with oracle text special character search
Hi all
Using oracle 11g sql developer 4.0
I am facing this challenge where Oracle text when it comes to searching text that contains special character.
This what I have done so far with help of http://www.orafaq.com/forum/t/162229/
CREATE TABLE "SOS"."COMPANY"
( "COMPANY_ID" NUMBER(10,0) NOT NULL ENABLE,
"COMPANY_NAME" VARCHAR2(50 BYTE),
"ADDRESS1" VARCHAR2(50 BYTE),
"ADDRESS2" VARCHAR2(10 BYTE),
"CITY" VARCHAR2(40 BYTE),
"STATE" VARCHAR2(20 BYTE),
"ZIP" NUMBER(5,0)
) SEGMENT CREATION IMMEDIATE
PCTFREE 10 PCTUSED 40 INITRANS 1 MAXTRANS 255 NOCOMPRESS LOGGING
STORAGE(INITIAL 65536 NEXT 1048576 MINEXTENTS 1 MAXEXTENTS 2147483645
PCTINCREASE 0 FREELISTS 1 FREELIST GROUPS 1 BUFFER_POOL DEFAULT FLASH_CACHE DEFAULT CELL_FLASH_CACHE DEFAULT)
TABLESPACE "USERS" ;
Insert into COMPANY (COMPANY_ID,COMPANY_NAME,ADDRESS1,ADDRESS2,CITY,STATE,ZIP) values (1,'LSG SOLUTIONS LLC',null,null,null,null,null);
Insert into COMPANY (COMPANY_ID,COMPANY_NAME,ADDRESS1,ADDRESS2,CITY,STATE,ZIP) values (2,'LOVE''S TRAVEL',null,null,null,null,null);
Insert into COMPANY (COMPANY_ID,COMPANY_NAME,ADDRESS1,ADDRESS2,CITY,STATE,ZIP) values (3,'DEVON ENERGY',null,null,null,null,null);
Insert into COMPANY (COMPANY_ID,COMPANY_NAME,ADDRESS1,ADDRESS2,CITY,STATE,ZIP) values (4,'SONIC INC',null,null,null,null,null);
Insert into COMPANY (COMPANY_ID,COMPANY_NAME,ADDRESS1,ADDRESS2,CITY,STATE,ZIP) values (5,'MSCI',null,null,null,null,null);
Insert into COMPANY (COMPANY_ID,COMPANY_NAME,ADDRESS1,ADDRESS2,CITY,STATE,ZIP) values (6,'ERNEST AND YOUNG',null,null,null,null,null);
Insert into COMPANY (COMPANY_ID,COMPANY_NAME,ADDRESS1,ADDRESS2,CITY,STATE,ZIP) values (7,'JOHN DEER',null,null,null,null,null);
Insert into COMPANY (COMPANY_ID,COMPANY_NAME,ADDRESS1,ADDRESS2,CITY,STATE,ZIP) values (8,'Properties@Oklahoma, LLC',null,null,null,null,null);
Insert into COMPANY (COMPANY_ID,COMPANY_NAME,ADDRESS1,ADDRESS2,CITY,STATE,ZIP) values (9,'D.D.T L.L.C.',null,null,null,null,null);
BEGIN
CTX_DDL.CREATE_PREFERENCE ('your_lexer', 'BASIC_LEXER');
CTX_DDL.SET_ATTRIBUTE ('your_lexer', 'SKIPJOINS', '.,@-'''); -- to skip . , @ - ' symbols
END;
CREATE INDEX my_index2 ON COMPANY(COMPANY_NAME)
INDEXTYPE IS CTXSYS.CONTEXT PARALLEL
PARAMETERS ('LEXER your_lexer');
SELECT
company_name
FROM company
WHERE CATSEARCH(company.COMPANY_NAME, 'LLC','') > 0
ORDER BY company.COMPANY_ID;
output
company_name
1 LSG SOLUTIONS LLC
2 Properties@Oklahoma, LLC
only return 2 row but should return 3I just noticed that I forgot to use an empty stoplist, so I have added that to the revised example below. Otherwise, it uses a default stoplist that would not index common single-letter words like A and I.
1. Whtat is Just search on single character 'L'? It give me error.
Since it uses the NEAR operator, searching for just one letter causes incomplete syntax, asking it to search for L near a missing second value. So, I have added additional code to allow for just one letter.
2. How do I do auto refresh on this index on datastore?
If I add "sync (on commit)" it does not refresh the previously set token.
Sync(on commit) does synchronize so that the data is immediately searchable. You have to either optimize or rebuild or drop and recreate the index to condense the rows in the domain index table.
3.lastly explanation of
<seq>NEAR((' || letters_func (:search_string) || '),1,TRUE)</seq>
<seq>NEAR((' || letters_func (:search_string) || '),100,TRUE)</seq>
<seq>NEAR((' || letters_func (:search_string) || '),100,FALSE)</seq>
why 100 true and 100 false
100 is just a default value that I used for the second parameter of near, indicating how close the letters need to be to each other. True and False are values for the third parameter of near, indicating whether or not the letters must be in the same order or not. So, it returns the results in the order of first those that are very close to one another and in the same order, then those that may be further away but in the same order, then those that may be further away and in any order.
SCOTT@orcl12c> CREATE TABLE company_near
2 (company_id NUMBER(10,0) NOT NULL ENABLE,
3 company_name VARCHAR2(50 BYTE))
4 /
Table created.
SCOTT@orcl12c> SET DEFINE OFF
SCOTT@orcl12c> BEGIN
2 Insert into COMPANY_NEAR (COMPANY_ID,COMPANY_NAME) values (1,'LSG SOLUTIONS LLC');
3 Insert into COMPANY_NEAR (COMPANY_ID,COMPANY_NAME) values (2,'LOVE''S TRAVEL');
4 Insert into COMPANY_NEAR (COMPANY_ID,COMPANY_NAME) values (3,'DEVON ENERGY');
5 Insert into COMPANY_NEAR (COMPANY_ID,COMPANY_NAME) values (4,'SONIC INC');
6 Insert into COMPANY_NEAR (COMPANY_ID,COMPANY_NAME) values (5,'MSCI');
7 Insert into COMPANY_NEAR (COMPANY_ID,COMPANY_NAME) values (6,'ERNEST AND YOUNG');
8 Insert into COMPANY_NEAR (COMPANY_ID,COMPANY_NAME) values (7,'JOHN DEER');
9 Insert into COMPANY_NEAR (COMPANY_ID,COMPANY_NAME) values (8,'Properties@Oklahoma, LLC');
10 Insert into COMPANY_NEAR (COMPANY_ID,COMPANY_NAME) values (9,'D.D.T L.L.C.');
11 Insert into COMPANY_NEAR (COMPANY_ID,COMPANY_NAME) values (10,'LSG COMPANY, LLC');
12 Insert into COMPANY_NEAR (COMPANY_ID,COMPANY_NAME) values (11,'LSG STAFFING, LLC');
13 Insert into COMPANY_NEAR (COMPANY_ID,COMPANY_NAME) values (12,'L & S GROUP LLC');
14 Insert into COMPANY_NEAR (COMPANY_ID,COMPANY_NAME) values (13,'L S & G, INC.');
15 Insert into COMPANY_NEAR (COMPANY_ID,COMPANY_NAME) values (14,'L.S.G. PROPERTIES, L.L.C.');
16 Insert into COMPANY_NEAR (COMPANY_ID,COMPANY_NAME) values (15,'LSGS PROPERTIES, LLC');
17 Insert into COMPANY_NEAR (COMPANY_ID,COMPANY_NAME) values (16,'LSQ INVESTORS, L.L.C');
18 Insert into COMPANY_NEAR (COMPANY_ID,COMPANY_NAME) values (17,'LHP SHERMAN/GRAYSON, LLC');
19 Insert into COMPANY_NEAR (COMPANY_ID,COMPANY_NAME) values (18,'Walmart');
20 Insert into COMPANY_NEAR (COMPANY_ID,COMPANY_NAME) values (19,'Wal mart');
21 Insert into COMPANY_NEAR (COMPANY_ID,COMPANY_NAME) values (20,'LSG Property Investments, L.L.C.');
22 Insert into COMPANY_NEAR (COMPANY_ID,COMPANY_NAME) values (21,'1224 S GALVESTON AVE, LLC');
23 Insert into COMPANY_NEAR (COMPANY_ID,COMPANY_NAME) values (22,'1527 S GARY AVE, LLC');
24 Insert into COMPANY_NEAR (COMPANY_ID,COMPANY_NAME) values (23,'FIFTEENTH STREET GRILL');
25 Insert into COMPANY_NEAR (COMPANY_ID,COMPANY_NAME) values (24,'Massa Lobortis LLP');
26 Insert into COMPANY_NEAR (COMPANY_ID,COMPANY_NAME) values (25,'Risus A Inc.');
27 Insert into COMPANY_NEAR (COMPANY_ID,COMPANY_NAME) values (26,'Dollar $ store');
28 Insert into COMPANY_NEAR (COMPANY_ID,COMPANY_NAME) values (27,'L.O.V.E., INC. ');
29 Insert into COMPANY_NEAR (COMPANY_ID,COMPANY_NAME) values (28,'J-MART LLC ');
30 END;
31 /
PL/SQL procedure successfully completed.
SCOTT@orcl12c> CREATE OR REPLACE FUNCTION letters_func
2 (p_string IN VARCHAR2)
3 RETURN VARCHAR2
4 AS
5 v_string VARCHAR2(4000);
6 BEGIN
7 FOR i IN 1 .. LENGTH (p_string)
8 LOOP
9 IF REGEXP_LIKE (SUBSTR (p_string, i, 1), '[A-Z]', 'i')
10 THEN
11 v_string := v_string || SUBSTR (p_string, i, 1) || ',';
12 END IF;
13 END LOOP;
14 v_string := RTRIM (v_string, ',');
15 RETURN v_string;
16 END letters_func;
17 /
Function created.
SCOTT@orcl12c> BEGIN
2 CTX_DDL.CREATE_PREFERENCE ('letters_datastore', 'MULTI_COLUMN_DATASTORE');
3 CTX_DDL.SET_ATTRIBUTE
4 ('letters_datastore',
5 'COLUMNS',
6 'letters_func (company_name) company_name');
7 CTX_DDL.SET_ATTRIBUTE ('letters_datastore', 'DELIMITER', 'NEWLINE');
8 END;
9 /
PL/SQL procedure successfully completed.
SCOTT@orcl12c> CREATE INDEX letters_index ON company_near (company_name)
2 INDEXTYPE IS CTXSYS.CONTEXT
3 PARAMETERS
4 ('DATASTORE letters_datastore
5 STOPLIST CTXSYS.EMPTY_STOPLIST
6 SYNC (ON COMMIT)')
7 /
Index created.
SCOTT@orcl12c> SELECT COUNT(*) FROM dr$letters_index$i
2 /
COUNT(*)
24
1 row selected.
SCOTT@orcl12c> VARIABLE search_string VARCHAR2(100)
SCOTT@orcl12c> EXEC :search_string := 'LSG'
PL/SQL procedure successfully completed.
SCOTT@orcl12c> SELECT SCORE(1), company_id, company_name
2 FROM company_near
3 WHERE CONTAINS
4 (company_name,
5 '<query>
6 <textquery>
7 <progression>
8 <seq>' || :search_string || '</seq>
9 <seq>NEAR((' || letters_func (:search_string) || '),1,TRUE)</seq>
10 <seq>NEAR((' || letters_func (:search_string) || '),100,TRUE)</seq>
11 <seq>NEAR((' || letters_func (:search_string) || '),100,FALSE)</seq>
12 </progression>
13 </textquery>
14 </query>',
15 1) > 0
16 ORDER BY SCORE(1) DESC
17 /
SCORE(1) COMPANY_ID COMPANY_NAME
56 1 LSG SOLUTIONS LLC
56 10 LSG COMPANY, LLC
56 11 LSG STAFFING, LLC
56 12 L & S GROUP LLC
56 13 L S & G, INC.
56 14 L.S.G. PROPERTIES, L.L.C.
56 20 LSG Property Investments, L.L.C.
56 15 LSGS PROPERTIES, LLC
31 17 LHP SHERMAN/GRAYSON, LLC
8 21 1224 S GALVESTON AVE, LLC
4 22 1527 S GARY AVE, LLC
4 23 FIFTEENTH STREET GRILL
12 rows selected.
SCOTT@orcl12c> EXEC :search_string := 'L'
PL/SQL procedure successfully completed.
SCOTT@orcl12c> /
SCORE(1) COMPANY_ID COMPANY_NAME
78 1 LSG SOLUTIONS LLC
77 8 Properties@Oklahoma, LLC
77 9 D.D.T L.L.C.
77 10 LSG COMPANY, LLC
77 11 LSG STAFFING, LLC
77 12 L & S GROUP LLC
77 28 J-MART LLC
77 2 LOVE'S TRAVEL
77 26 Dollar $ store
77 24 Massa Lobortis LLP
77 23 FIFTEENTH STREET GRILL
77 14 L.S.G. PROPERTIES, L.L.C.
77 15 LSGS PROPERTIES, LLC
77 16 LSQ INVESTORS, L.L.C
77 17 LHP SHERMAN/GRAYSON, LLC
77 20 LSG Property Investments, L.L.C.
77 21 1224 S GALVESTON AVE, LLC
77 22 1527 S GARY AVE, LLC
76 19 Wal mart
76 18 Walmart
76 27 L.O.V.E., INC.
76 13 L S & G, INC.
22 rows selected.
SCOTT@orcl12c> INSERT INTO company_near (company_id, company_name) VALUES (30, 'Laris Gordman llc.' )
2 /
1 row created.
SCOTT@orcl12c> COMMIT
2 /
Commit complete.
SCOTT@orcl12c> SELECT COUNT(*) FROM dr$letters_index$i
2 /
COUNT(*)
35
1 row selected.
SCOTT@orcl12c> EXEC :search_string := 'Laris Gordman llc.'
PL/SQL procedure successfully completed.
SCOTT@orcl12c> SELECT SCORE(1), company_id, company_name
2 FROM company_near
3 WHERE CONTAINS
4 (company_name,
5 '<query>
6 <textquery>
7 <progression>
8 <seq>NEAR((' || letters_func (:search_string) || '),1,TRUE)</seq>
9 <seq>NEAR((' || letters_func (:search_string) || '),100,TRUE)</seq>
10 <seq>NEAR((' || letters_func (:search_string) || '),100,FALSE)</seq>
11 </progression>
12 </textquery>
13 </query>',
14 1) > 0
15 ORDER BY SCORE(1) DESC
16 /
SCORE(1) COMPANY_ID COMPANY_NAME
100 30 Laris Gordman llc.
1 row selected.
SCOTT@orcl12c> EXEC CTX_DDL.OPTIMIZE_INDEX ('letters_index', 'FULL')
PL/SQL procedure successfully completed.
SCOTT@orcl12c> SELECT COUNT(*) FROM dr$letters_index$i
2 /
COUNT(*)
24
1 row selected. -
SQL Injection with CF7 and MS SQL 2005
I looked through a bunch of SQL injection posts and couldn't
find a definitive answer to this...
Let me introduce this by saying that I know I should be using
CFQUERYPARAM with EVERY CF variable in a CFQUERY tag. No excuses.
But for a necessary quick fix, if I only use it for numeric
DB fields, is SQL injection still possible (using MS SQL 2005)?
I've yet to successfully perform SQL injection while manipulating a
variable surrounded by single quotes in the query.
Scenario 1) select * from users where user_id=#form.user_id#
...is a gimme to hack, but
Scenario 2) select * from users where
password='#form.password#' ...is another story
Has anyone ever heard of a successful SQL injection attack in
a Scenario 2 situation.
I'll fix everything up eventually, but I've got a Pen Test
coming up soon, and a lot of raw code to review.
Thanksquote:
Originally posted by:
Dan Bracuk
What others can do is more relevent than what we think. When
in doubt, test.
very true, although my final solution went more like, "When
in doubt, manually add about 600 cfqueryparams in 406 cfquery
tags". -
Good night:
I'm trying to understand the use of oracleparameters in visual basic .net 2008. It is said that its goal is to avoid sql injection but as far as I know Oracle throws an exception every time you use a ;, so I assume it is not possible to inject malicious sql to oracle.
Does anybody knows if it's possible and how to do an sqlinjection to Oracle by means of an ado .net command?.
Thank youSection Understanding SQL Injection Attacks in Securing a .NET Application on the Oracle Database:http://www.oracle.com/technology/pub/articles/mastering_dotnet_oracle/cook_masteringdotnet.html shows examples in VB .Net.
-
SQL*Plus with Oracle 10g Express Edition
How Can I do to log in using SQL*Plus into Oracle 10g?
My Schema is: Banco.Global
My Password is: 111111
I need to write SET SERVEROUTPUT ON to get answer?
I opened the Prompt, but i don't know to log in.
Thanks and my english is not as well as you.If i write:
SQL>connect "Banco.Global"/111111
a error message is raised: Invalid username/password; logon denied
but if I log in into Home Page with the same Username and Password, I get to log in.
There is difference to connect SQL*Plus and the connect with Home Page the Oracle?
I need to connect with SQL*Plus, because i need to make a test. -
Using discoverer with Oracle Text
I thought Discoverer would be able to intereact with Oracle intermedia/text indexes...can they? i.e. If there is an Intermedia Index, and the user know it is there but doesn't know the tags to query, can you point Discoverer to the index and it'll determine the tags avaiable to search on?
Thanks,Sorry. The correct one is http://otn.oracle.com/docs/products/oracle9i/doc_library/release2/text.920/a96517/acase.htm#620714
-
Performance issues and options to reduce load with Oracle text implementation
Hi Experts,
My database on Oracle 11.2.0.2 on Linux. We have Oracle Text implemented for fuzzy search. Our oracle text indexes are defined as sync on commit as we can not afford to have stale data. Now our application does literally thousands of inserts/updates/deletes to those columns where we have these Oracle text indexes defined. As a result, we are seeing a lot of performance impact due to the oracle text sync routines being called on each commit. We are doing the index optimization every night (full optimization every night at 3 am). The oracle text index related internal operations are showing up as top sql in our AWR report and there are concerns that it is causing lot of load on the DB. Since we do the full index optimization only once at night, I am thinking should I change that , and if I do so, will it help us?
For example here are some data from my one day's AWR report:
Elapsed Time (s)
Executions
Elapsed Time per Exec (s)
%Total
%CPU
%IO
SQL Id
SQL Module
SQL Text
27,386.25
305,441
0.09
16.50
15.82
9.98
ddr8uck5s5kp3
begin ctxsys.drvdml.com_sync_i...
14,618.81
213,980
0.07
8.81
8.39
27.79
02yb6k216ntqf
begin ctxsys.syncrn(:idxownid,...
Full Text of above top sql:
ddr8uck5s5kp3
begin ctxsys.drvdml.com_sync_index(:idxname, :idxmem, :partname);
end
02yb6k216ntqf
begin ctxsys.syncrn(:idxownid, :idxoname, :idxid, :ixpid, :rtabnm, :flg); end;
Now if I do the full index optimization more often and not just once at night 3 PM, will that mean, the load on DB due to sync on commit will decrease? If yes how often should I optimized and doesn't the optimization itself lead to some load? Can someone suggest?
Thanks,
OrauserNYou can query the ctx_parameters view to see what your default and maximum memory values are:
SCOTT@orcl12c> COLUMN bytes FORMAT 9,999,999,999
SCOTT@orcl12c> COLUMN megabytes FORMAT 9,999,999,999
SCOTT@orcl12c> SELECT par_name AS parameter,
2 TO_NUMBER (par_value) AS bytes,
3 par_value / 1048576 AS megabytes
4 FROM ctx_parameters
5 WHERE par_name IN ('DEFAULT_INDEX_MEMORY', 'MAX_INDEX_MEMORY')
6 ORDER BY par_name
7 /
PARAMETER BYTES MEGABYTES
DEFAULT_INDEX_MEMORY 67,108,864 64
MAX_INDEX_MEMORY 1,073,741,824 1,024
2 rows selected.
You can set the memory value in your index parameters:
SCOTT@orcl12c> CREATE INDEX EMPLOYEE_IDX01
2 ON EMPLOYEES (EMP_NAME)
3 INDEXTYPE IS CTXSYS.CONTEXT
4 PARAMETERS ('SYNC (ON COMMIT) MEMORY 1024M')
5 /
Index created.
You can also modify the default and maximum values using CTX_ADM.SET_PARAMETER:
http://docs.oracle.com/cd/E11882_01/text.112/e24436/cadmpkg.htm#CCREF2096
The following contains general guidelines for what to set the max_index_memory parameter and others to:
http://docs.oracle.com/cd/E11882_01/text.112/e24435/aoptim.htm#CCAPP9274
Maybe you are looking for
-
AE CC and the Rest of Adobe Apps - ProRes Quicktime Render Gamma Problem Back AGAIN
Hi --- With this version I am back to square one with AE NOT being able to render out correct gamma exporting to PR4444 - Scenario (And this matter NOT whether I use Color Management or Not) 1) I open a Clip in AE or PPRO (In this case a TIFF Sequenc
-
HT5730 How do I install a pasword protected printer on a Mac running 10.8.4?
eaii aiI am tryng to install password protected printers that are on a network. I am hving trouble with this. I am used to intalling printers but not ones tht require a print code that th user inputs when they are going to print a job at the printer.
-
ABAP based Application in SAP Fiori
Hi, Can any one confirm if the ERP (Specifically HCM & Travel) are released for general use? If yes, in which support pack are they available. Also, What is diff between Netweaver 7.4 and Netweaver Gateway. If we intend to upgrade out system to EHP7
-
N73 Firmware 4.0812.4.0.1 Available
N73 Firmware 4.0812.4.0.1 Available N73 Internet Edition 0539366: Hong Kong IE 0539364: Taiwan IE N73 Standard 0529813: TAIWAN (Deep Plum) 0529814: HONGKONG (Deep Plum) 0529815: APAC 1 (Deep Plum) 0529816: PHILIPPINES (Deep Plum) 0529817: AUSTRALIA (
-
MBP display is showing a thin green line on left side of the screen
Hi All, I have 15 inch Unibody MacBook Pro bought in late 2009. Specs are as below. Initially it was 4GB RAM. I upgraded it later to 8GB OWC RAM. Model Name: MacBook Pro Model Identifier: MacBookPro5,3 Processor Name: I