"SQL Query in HTTP Request" (5474:0)

Hi,
The IDS signature "SQL Query in HTTP Request" (5474:0) does not recognize all malicious SQL selects. Currently, the reg exp looks like [%]20|[=]|[+])[Ss][Ee][Ll][Ee][Cc][Tt]([%]20|[+])[^\r\n\x00-\x19\x7F-\xFF]+([%]20|[+])[Ff][Rr][Oo][Mm]([%]20|[+] . We noticed that subselects does not trigger the signature. For example, "...(select%20something%20from%20somethingmore%20where%20variable%20=%20(select%20....." which could be malicious. Is there any possibility to include "(" in the regexp to detect subselects?
Regards,
/Ola

hmmm...That should actually match just fine. Let's break it down:
([%]20|[=]|[+]) <--"%20","=",or "+"
[Ss][Ee][Ll][Ee][Cc][Tt] <-- "SELECT"
([%]20|[+]) <--"%20" or "+"
[^\r\n\x00-\x19\x7F-\xFF]+ <-- NOT one or more ascii control or extended chars
([%]20|[+]) <-- "%20" or "+"
[Ff][Rr][Oo][Mm] <-- "FROM"
([%]20|[+]) <-- "%20" or "+"
The only reason I can think that it wouldn't match is if there some funky characters between the first SELECT and the first FROM (i.e. carriage return/line feed, etc). Also remember that a %20 or = or + must precede the SELECT and that a %20 or + must follow the FROM.

Similar Messages

PL/SQL posting to HTTP request

Hi
As part of a web application I am developing, I need to generate an HTTP post from a PL/SQL package. The problem I am having is that the message going out is not properly formatted and is being rejected by the listening application (in this case, WebCT)
The MIME message should be formatted like this. (this is what I get when I use Perl to generate the call...)
POST /webct/systemIntegrationApi.dowebct HTTP/1.1
Host: roach:4041
Connection: Keep-Alive, TE
TE: trailers, deflate, gzip, compress
User-Agent: RPT-HTTPClient/0.3-3E
Accept-Encoding: deflate, gzip, x-gzip, compress, x-compress
Content-type: multipart/form-data; boundary=WebCT_Enterprise_API_boundary
Content-length: 1506
--WebCT_Enterprise_API_boundary
Content-Disposition: form-data; name="adapter"
ims
--WebCT_Enterprise_API_boundary
Content-Disposition: form-data; name="ACTION"
import
--WebCT_Enterprise_API_boundary
Content-Disposition: form-data; name="OPTION"
unrestrict
--WebCT_Enterprise_API_boundary
Content-Disposition: form-data; name="SCTMODE"
OFF
--WebCT_Enterprise_API_boundary
Content-Disposition: form-data; name="TIMESTAMP"
1091141996
--WebCT_Enterprise_API_boundary
Content-Disposition: form-data; name="AUTH"
3D 1F DC E0 F7 15 5A 1F F4 99 CA 70 D4 68 1C 57
--WebCT_Enterprise_API_boundary
Content-Disposition: form-data; name="FILENAME"; filename="baseline_import.xml"
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE ENTERPRISE SYSTEM "IMS-EP01.dtd">
<ENTERPRISE>
<PROPERTIES>
<DATASOURCE>McGill University SCT Banner</DATASOURCE>
<TYPE>Initial Creation</TYPE>
<DATETIME>2000-00-00T12:00:00</DATETIME>
</PROPERTIES>
<GROUP>
<SOURCEDID>
<SOURCE>Banner 2000 SCT Banner</SOURCE>
<ID>6536.200409</ID>
</SOURCEDID>
<DESCRIPTION>
<SHORT>HIST-666-001</SHORT>
</DESCRIPTION>
<RELATIONSHIP myrelationship="3">
<SOURCEDID>
<SOURCE>Banner 2000 SCT Banner</SOURCE>
<ID>6537.200409</ID>
</SOURCEDID>
</RELATIONSHIP>
</GROUP>
</ENTERPRISE>
WebCT_Enterprise_API_boundary
HTTP/1.1 200 OK
Date: Thu, 29 Jul 2004 21:56:27 GMT
Server: Apache/2.0.49 (Unix) DAV/2 mod_ssl/2.0.49 OpenSSL/0.9.6m mod_jk/1.2.3-dev
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
35
Success: Import file (baseline_import.xml) complete.
0
My PL/SQL code that tries to build the outgoing call is
req := utl_http.begin_request('http://atlas.cc.mcgill.ca:8900/webct/systemIntegrationApi.dowebct','POST', 'HTTP/1.1');
utl_http.write_text(req,'Content-type: multipart/form-data; boundary=WebCT_Enterprise_API_Boundary' || CHR(13)|| CHR(10) ||
               '' || CHR(13)|| CHR(10) ||
               '--WebCT_Enterprise_API_Boundary' || CHR(13)|| CHR(10) ||
               'Content-Disposition: form-data; name="adapter"' || CHR(13)|| CHR(10) ||
               '' || CHR(13)|| CHR(10) ||
               'ims' || CHR(13)|| CHR(10) ||
               '--WebCT_Enterprise_API_Boundary' || CHR(13)|| CHR(10) ||
               'Content-Disposition: form-data; name="ACTION"' || CHR(13)|| CHR(10) ||
               '' || CHR(13)|| CHR(10) ||
               'import' || CHR(13)|| CHR(10) ||
               '--WebCT_Enterprise_API_Boundary' || CHR(13)|| CHR(10) ||
               'Content-Disposition: form-data; name="OPTION"' || CHR(13)|| CHR(10) ||
               '' || CHR(13)|| CHR(10) ||
               'unrestrict' || CHR(13)|| CHR(10) ||
               '--WebCT_Enterprise_API_Boundary' || CHR(13)|| CHR(10) ||
               'Content-Disposition: form-data; name="SCTMODE"' || CHR(13)|| CHR(10) ||
               '' || CHR(13)|| CHR(10) ||
               'OFF' || CHR(13)|| CHR(10) ||
               '--WebCT_Enterprise_API_Boundary' || CHR(13)|| CHR(10) ||
               'Content-Disposition: form-data; name="TIMESTAMP"' || CHR(13)|| CHR(10) ||
               '' || CHR(13)|| CHR(10) ||
               timestamp || CHR(13)|| CHR(10) ||
               '--WebCT_Enterprise_API_Boundary' || CHR(13)|| CHR(10) ||
               'Content-Disposition: form-data; name="AUTH"' || CHR(13)|| CHR(10) ||
               '' || CHR(13)|| CHR(10) ||
               mac || CHR(13)|| CHR(10) ||
               '--WebCT_Enterprise_API_Boundary' || CHR(13)|| CHR(10) ||
               'Content-Disposition: form-data; name="FILENAME"; filename="xlist.xml"' || CHR(13)|| CHR(10) ||
               '' || CHR(13)|| CHR(10) ||
               total_xml_string || CHR(13)|| CHR(10) ||
               '--WebCT_Enterprise_API_Boundary--' || CHR(13)|| CHR(10));
resp := utl_http.get_response(req);
utl_http.read_text(resp, val);
utl_http.end_response(resp);
When I watch the network traffic generated by this PL/SQL I do not have any carriage returns which makes WebCT to believe that the message does not carry the proper data and returns Fatal Failure(99): Invalid URL arguments...
Is there somewhere where I can see sample code for placing HTTP requests using the utl_http package? Or if I am doing something obviously wrong (I am new at this whole PL/SQL thing...) please let me know.
Thank you
Bogdan

If UTL_HTTP.SET_TRANSFER_TIMEOUT has no effect, probably your hang is due to the fact that the machine is completely down and inaccessible.
As the name suggests, SET_TRANSFER_TIMEOUT only controls the timeout when UTL_HTTP succeeds in making a connection to the remote Web server and it times out the request when no more response is received by certain time while the connection is not closed by the remote server either.
In your case, you probably need a connect-timeout which isn't provided by UTL_HTTP (yet).

Generic SQL Injection in HTTP Request

So our project allows Facebook interaction. Mars sends out this Incident Event type every time someone attaches to Facebook. Is this something I can just False Positive out or should I be concerned about it? What is Facebook sending back to our network so we get this message on Mars?

I get numerous alerts from our IDSMs and have mitigated this by
1: not allowing the IDSMs to block our outgoing traffic at all. Not worth the risk causing major outage.
2: created av drop in MARS that drops all SQL Injections destined for the Facebook subnets. (69.63.176.1-69.63.183.254, 66.220.144.1-66.220.159.255)
Regards
Fredrik

How to make a http request from a pl/sql procedure(URGENT)

I need to make a http request from a pl/sql procedure, can any one tell me which built-in package and which procedure/function we serve my need?
Thanks in advance.
Ram Prasad.

You should use UTL_HTTP package, but before it install the JVM into DB

HTTPS request signed by client certificate from PL/SQL procedure

Hi All, please help.
The PL/SQL procedure connects to different web services, using both HTTP/HTTPS, for HTTPS sever certificates were used. Everything was OK.
The next service requires client to sign requests with client certificate. I made the client certificate, sign it by CA, store it in Wallet Manager.
Is here the possibility to send signed HTTPS request from PL/SQL?
If not, how to do it using Java and encapsulate for PL/SQL?
Please answer ASAP!!!

It is pretty straight-forward to make HTTPS requests with UTL_HTTP.
To do so, you first need to create an Oracle wallet on the database server host with Oracle Wallet Manager. If your database resides on Windows, I believe a short-cut has been created in the Windows menu. On Linux, it can be invoked from $ORACLE_HOME/bin/owm.
Once the wallet is created, you need to make an additional call to utl_http.set_wallet(<wallet-directory>, <wallet-password>) before any utl_http.request or utl_http.begin_request calls. The <wallet-directory> is the wallet directory where you will find the cwallet.sso and/or ewallet.p12 files, using the format "file:/<wallet-directory>". For example:
utl_http.set_wallet('file:/home/oracle/wallets/my_wallet/', '123456');
When an Oracle wallet is created, it is pre-populated with common certificate authorities' certificates (e.g. Verisign). In the event that the server certificate of the HTTPS host is not signed by one of those common certificate authorities, you need to import the additional certificate authority's certificate in your wallet using Oracle Wallet Manager.

Need sql query to get OIM request pending approval details for one user

HI OIM Guru,
It would be great help if someone can provide me sql query by which i can find out how many requests are pending for approval for one user ?

1. Below query will give you status of all the request.
SELECT REQ.REQUEST_ID , REQ.REQUEST_STATUS FROM REQUEST REQ
2. You can have following status
Obtaining Operation Approval
Obtaining Template Approval
Operation Approval Approved
Operation Approval Rejected
Post Operation Processing Initiated
Request Approval Rejected
Request Closed
Request Completed
Request Created
Request Failed
Request Withdrawn
Template Approval Rejected
3. Now prepare the query from above sapmle, the requset status string should not contains foloowing values.
Rejected
Failed
Closed
Withdrawn
Completed
The builded query will give you the desired result for 11g
for 10 G
Get the OST_STATUS from Req table, and do you logic above stated
-Kuldeep
Edited by: Kuldeep on May 22, 2012 1:04 AM

"http request error" - SQL call sometimes works, sometimes doesn't

Hello everyone,
A bit of a random question, maybe someone has an idea...
I have a flex app that queries data from a mySQL service via http service. Overall, things work great! The queries are quick to return a result and without issues. But, when I view the website from my work PC, I get this error "HTTP Request Error", and none of the SQL calls work. Any ideas? I know my work has very tight security regulations, but I would still think it would be able to work.
I can't get a better security message because I can't set up and run flex to debug the issue, all I get is "HTTP Request Error", so who knows what it could be. I have tested my website from about 15 computers/different networks, and they all work, except my work PC. Any ideas?
And yes, the flash version is current.
Thanks!

it sounds like the work security is blocking it
can you write a simple html page that fetches the data and displays it?It might give you a better idea what is happening behind flex

HTTP request using PL/SQL

I've the following header and http request.
POST http://deab/DexNETWebServices_4_0_0_4/LoginService.svc HTTP/1.1
MIME-Version: 1.0
Content-Type: multipart/related; type="application/xop+xml";start="<http://tempuri.org/0>";boundary="uuid:e4c19840-745d-45b2-90ca-12d71be4cfd9+id=1";start-info="application/soap+xml"
VsDebuggerCausalityData: uIDPo5F/qXRc4YJImqB6Ard30cQAAAAAAjIXinpIVUulXLJOsSG7yyv7Lf2yHgpHlIxvc6oeqaAACQAA
Host: deab
Content-Length: 1017
Expect: 100-continue
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
--uuid:e4c19840-745d-45b2-90ca-12d71be4cfd9+id=1
Content-ID: <http://tempuri.org/0>
Content-Transfer-Encoding: 8bit
Content-Type: application/xop+xml;charset=utf-8;type="application/soap+xml"
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing"><s:Header><a:Action s:mustUnderstand="1">http://tempuri.org/ILoginService/LoginByUserName</a:Action><a:MessageID>urn:uuid:cf410a05-23d4-4b92-a22c-329cbc19fbe7</a:MessageID><a:ReplyTo><a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address></a:ReplyTo><a:To s:mustUnderstand="1">http://deab/DexNETWebServices_4_0_0_4/LoginService.svc</a:To></s:Header><s:Body><LoginByUserName xmlns="http://tempuri.org/"><systemId>19e0ddb4-5fa5-41ee-b624-aea762865a6c</systemId><strName>FirmwareUpdateLogQueryWorker</strName><productId>0af39a3e-6549-485b-872f-b73413203998</productId><password>abc</password></LoginByUserName></s:Body></s:Envelope>
--uuid:e4c19840-745d-45b2-90ca-12d71be4cfd9+id=1--
I'm using the following code to set the header from PL/SQL.
l_http_req := UTL_HTTP.begin_request ('http://deab/DexNETWebServices_4_0_0_4/LoginService.svc', 'POST', 'HTTP/1.1');
UTL_HTTP.set_header (
         l_http_req,
         'Content-Type',
         'multipart/related; type="application/xop+xml";start="<http://tempuri.org/0>";boundary="uuid:e4c19840-745d-45b2-90ca-12d71be4cfd9+id=1";start-info="application/soap+xml"');
UTL_HTTP.set_header (l_http_req, 'Content-Length', LENGTH (l_request));
But UTL_HTTP.get_response returns the error 400 Bad Request. How do I set MIME-Version and VsDebuggerCausalityData from the header?
Thank you for your help on this.

Here is the complete code that returns the 400 Bad Request error. Thanks for your help.
DECLARE
   l_request         CLOB;
   l_http_req        UTL_HTTP.req;
   l_http_resp       UTL_HTTP.resp;
   v_buffer          VARCHAR2 (32767);
   p_status_code     NUMBER (9);
   p_error_message   VARCHAR2 (32767);
   p_response        CLOB;
BEGIN
   l_request :=
         '--uuid:e4c19840-745d-45b2-90ca-12d71be4cfd9+id=1
Content-ID: <http://tempuri.org/0>
Content-Transfer-Encoding: 8bit
Content-Type: application/xop+xml;charset=utf-8;type="application/soap+xml"
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing"><s:Header><a:Action s:mustUnderstand="1">http://tempuri.org/ILoginService/LoginByUserName</a:Action><a:MessageID>urn:uuid:cf410a05-23d4-4b92-a22c-329cbc19fbe7</a:MessageID><a:ReplyTo><a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address></a:ReplyTo><a:To s:mustUnderstand="1">http://deab/DexNETWebServices_4_0_0_4/LoginService.svc</a:To></s:Header><s:Body><LoginByUserName xmlns="http://tempuri.org/"><systemId>'
      || '19e0ddb4-5fa5-41ee-b624-aea762865a6c'
      || '</systemId><strName>'
      || 'FirmwareUpdateLogQueryWorker'
      || '</strName><productId>'
      || '0af39a3e-6549-485b-872f-b73413203998'
      || '</productId><password>'
      || 'abc'
      || '</password></LoginByUserName></s:Body></s:Envelope>
--uuid:e4c19840-745d-45b2-90ca-12d71be4cfd9+id=1--';
   DBMS_OUTPUT.put_line ('request ' || l_request);
   l_http_req :=
      UTL_HTTP.begin_request (
         'http://deab/DexNETWebServices_4_0_0_4/LoginService.svc',
         'POST',
         'HTTP/1.1');
   UTL_HTTP.set_header (
      l_http_req,
      'Content-Type',
      'multipart/related; type="application/xop+xml";start="<http://tempuri.org/0>";boundary="uuid:e4c19840-745d-45b2-90ca-12d71be4cfd9+id=1";start-info="application/soap+xml"');
   UTL_HTTP.set_header (l_http_req, 'Content-Length', LENGTH (l_request));
   UTL_HTTP.set_header (l_http_req, 'MIME-Version', '1.0');
   UTL_HTTP.set_header (
      l_http_req,
      'VsDebuggerCausalityData',
      'uIDPo5F/qXRc4YJImqB6Ard30cQAAAAAAjIXinpIVUulXLJOsSG7yyv7Lf2yHgpHlIxvc6oeqaAACQAA');
   UTL_HTTP.write_text (l_http_req, l_request);
   DBMS_LOB.createtemporary (p_response, FALSE);
   l_http_resp := UTL_HTTP.get_response (l_http_req);
   BEGIN
      LOOP
         UTL_HTTP.read_text (l_http_resp, v_buffer, 32767);
         DBMS_OUTPUT.put_line (v_buffer);
         DBMS_LOB.writeappend (p_response, LENGTH (v_buffer), v_buffer);
      END LOOP;
   EXCEPTION
      WHEN UTL_HTTP.end_of_body
      THEN
         NULL;
   END;
   UTL_HTTP.end_response (l_http_resp);
   p_status_code := l_http_resp.status_code;
   p_error_message := l_http_resp.reason_phrase;
   p_response := REPLACE (p_response, '<', '<');
   p_response := REPLACE (p_response, '>', '>');
   DBMS_OUTPUT.put_line (
      'Status: ' || p_status_code || '-' || p_error_message || ': ' || p_response);
END;

Pl/sql call to a WS: HTTP request error

Hello,
I am trying to call a web service from a pl/sql package and am getting this error from the Apps (10g database)
ORACLE error 29273 in FDPSTP
Cause: FDPSTP failed due to ORA-29273: HTTP request failed
ORA-06512: at "SYS.UTL_HTTP", line 1029
ORA-28862: SSL connection failed
ORA-06512: at "APPS.CM_TEST_WS_INVOKE", line 19
ORA-06512: at line 1
Could anyone help me resolve this so that I can call the web service?
Any help would be greatly appreciated.
-CC
Edited by: user11121346 on May 1, 2012 10:17 AM

Hi,
As this is a SSL call, you need to configure the wallet. Basically if it is a One-way SSL (only webservice server gets authenticated), you need to follow the following steps.
1.) Extract the Public Certificate of the Target Web service from using the browser
2.) Import this certificate in the Oracle Wallet using Oracle Wallet Manager
3.) The schema user trying to invoke the service should have proper ACL permissions
4.) Test your connection from the R12 SQL directly using below SQL statement. If below is success you can wrap the service call in a package.
select utl_http.request('https://<service URL>',
NULL, --Proxy Settings if any
'file:<Wallet_Location>', -- on R12
<Wallet_Password>
from dual;Let me know if you still face any issues.
Regards,
Neeraj Sehgal

SQL query requested to pull one field out of multiple records

Post Author: ralph.devlin
CA Forum: Data Connectivity and SQL
We use Track IT to manage our ticket base. We have parent work orders and child assignments that I am trying to report on. What I want to do is create a view, or even if this can be done in a formula, is pull data from the main work order, which in our scnerio and accorindg to the database diagrapm is WORKORDERTYPEID = 0, It will pull the TASKS.RESPONS field from that WO. Then it will compare the TASKS.PARETNWOID to WOID and if WORKORDERTYPEID = 1 then it needs to return the TASKS/RESPONS field of that record, and there may be three records or so. Then What I may need it to do is organize it maybe into seperate columns so I can add each one to Crystal keeping in mind that it will need to link those records to main WOID of the parent so it will display on one line. Any ideas
Ralph

Post Author: ralph.devlin
CA Forum: Data Connectivity and SQL
Ok I tried that and it seemed to work fine, here is an aexample of the data returned
168458
Lane, Carrie
Ralph Devlin
Ralph Devlin
168458
PHX - Training Room
SM - 8th Fl Conf Room
NULL
NULL
168458
6/20/2008 3:30:00 PM
Video Conference
0
168458
Lane, Carrie
Ralph Devlin
Luis Estrada
168458
PHX - Training Room
SM - 8th Fl Conf Room
NULL
NULL
168458
6/20/2008 3:30:00 PM
Video Conference
1
Using the last column which is the workordertypeid, I was able to elimate the first row of data, which is the parent work order, but see how it is returning the technician name twice, where the second row returns me as the primary and then the technician on the assignment WO as well, which I want. In Crystal I have it only selecting the rows with the 1 is the last column, since those rows have the data arranged how I want them to be.
Once issue that just arose, is what if we only had one work order that we wanted to report on in the subreport. since the WO will get a 0 in the last column, it will never be selected in the report. Is there a way to either us a statement that selects it if it is the only WO listed compared by the WOID field, or if there is a way in SQL, to get what is showing in row 2 to be the only row returned back so I can then show all work orders regardless if they are an assignment
Here is my current SQL query
SELECT T1.WOID, T1.REQUEST, T1.RESPONS, T2.RESPONS AS Addtech, T2.PARENTWOID, T1.LOOKUP2, T1.TaskLookup3, T1.TaskLookup4, T1.TaskLookup5, T1.WO_NUM, T1.DUEDATE, T1.WOTYPE3, T2.WorkOrderTypeIdFROM dbo.TASKS AS T1 LEFT OUTER JOIN dbo.TASKS AS T2 ON T2.PARENTWOID = T1.WOID

Request for report SQL Query

hi all,
i created links for an element but for some element links the costing and balancing codes were mistakenly given wrong and the element links are plenty so i am unable to find which is wrongly given.
can some 1 out there provide me with the sql query that will allow me to create a report to run and confirm all the links have costing and balancing codes for all the earnings or voluntary deduction elements.
Thank you for reading my issue. plz help!

See if the below helps.
Change the business group id in the query below-
select ppf.payroll_name
,pj.name Job,hou.name HR_ORG,ppg.group_name People_Group
,pel.employment_category
,hra.location_code
,pet.element_name,pet.reporting_name,pec.classification_name
,pel.costable_type
,pel.link_to_all_payrolls_flag
,pcak1.concatenated_segments Element_Cost_Segments
,pcak1.segment1
,pcak1.segment2
,pcak1.segment3
,pcak1.segment4
,pcak1.segment5
,pcak1.segment6
,pcak1.segment7
,pcak1.segment8
,pcak2.concatenated_segments Balancing_Cost_Segments
,pcak2.segment1
,pcak2.segment2
,pcak2.segment3
,pcak2.segment4
,pcak2.segment5
,pcak2.segment6
,pcak2.segment7
,pcak2.segment8
from pay_element_links_f pel
,apps.PAY_COST_ALLOCATION_KEYFLEX pcak1
,apps.PAY_COST_ALLOCATION_KEYFLEX pcak2
,pay_element_types_f pet
,pay_payrolls_f ppf
,pay_element_classifications pec
,per_jobs pj
,hr_all_organization_units hou
,PAY_PEOPLE_GROUPS ppg
,hr_locations_all hra
where pel.element_type_id = pet.element_type_id
and ppf.payroll_id(+)   = pel.payroll_id
and pcak1.cost_allocation_keyflex_id(+) = pel.cost_allocation_keyflex_id
and pcak2.cost_allocation_keyflex_id(+) = pel.balancing_keyflex_id
and pet.business_group_id = 0
and pet.classification_id = pec.classification_id
and pj.job_id(+) = pel.job_id
and hou.organization_id(+) = pel.organization_id
and ppg.people_group_id(+) = pel.people_group_id
and hra.location_id(+) = pel.location_id
and sysdate between pel.effective_start_date and pel.effective_end_date
and sysdate between pet.effective_start_date and pet.effective_end_date
and sysdate between ppf.effective_start_date(+) and ppf.effective_end_date(+)
order by ppf.payroll_name,pec.classification_namePlease close the thread, if your issue is resolved.
Cheers,
VB

SQL Query with ' in conditon'

Hello together,
i try to use request list from APEX check list for sql query.
example:
select *
from emp
where empno in (:APEX_LIST)
If i have just one value in the list is everything ok, but if i have more values i don't have any.
Can samebody help me?

Hi,
Use following query:
select * from emp
where (INSTR (':'||::APEX_LIST||':',':'||empno||':') > 0)
Regards,
Kartik Patel
http://patelkartik.blogspot.com/
http://apex.oracle.com/pls/apex/f?p=9904351712:1

SQL Query works in SQL Developer, but not always in MII

Hi all,
I encountered a strange behaviour with a query in MII 12.0.2. Maybe someone has a guess what happens.
I have created a SQL query which runs against Oracle 10g tables. I have tested the query using SQL Developer, and it throws a couple of lines, depending on the contents of the where clause.
Next I have copied the query to a MII SQL Query (FixedQuery). However, the output is empty most of the time, without showing any errors. After some testing I got the impression that older data are not displayed, but there is no time or date setting in MII.
As the SQL Developer always returns rows, I am unsure where to search for the error.
Regards
Michael

Michael,
I would imagine that you have sub-select statements in your FixedQuery, all which will fall subject to the RowCount property of the query template (SQL defaults to 100), which is issued through the driver and typically honored by the database when returning the data from your request.
Most of the native database query tools allow you to make unbound query requests with no limit on rows, which would probably account for the difference between SQL Developer and the query template.
For SQLServer it's ROWCOUNT: http://msdn.microsoft.com/en-us/library/ms188774.aspx
For Oracle it's ROWNUM: http://www.oracle.com/technology/oramag/oracle/06-sep/o56asktom.html
So the answer would be not to make the query template row count some rediculous number, but more appropriately refine the way that the database request is issued.
Regards,
Jeremy

JSP Servlet and convert the result set of an SQL Query To XML file

Hi all
I have a problem to export my SQL query is resulty into an XML file I had fixed my servlet and JSP so that i can display all the records into my database and that the goal .Now I want to get the result set into JSP so that i can create an XML file from that result set from the jsp code.
thisis my servlet which will call the jsp page and the jsp just behind it.
//this is the servlet
import java.io.*;
import java.lang.reflect.Array;
import java.sql.*;
import java.util.ArrayList;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.servlet.*;
import javax.servlet.http.*;
import javax.naming.*;
import javax.sql.*;
public *class *Campaign *extends *HttpServlet
*private* *final* *static* Logger +log+ = Logger.+getLogger+(Campaign.*class*.getName());
*private* *final* *static* String +DATASOURCE_NAME+ = "jdbc/SampleDB";
*private* DataSource _dataSource;
*public* *void* setDataSource(DataSource dataSource)
_dataSource = dataSource;
*public* DataSource getDataSource()
*return* _dataSource;
*public* *void* init()
*throws* ServletException
*if* (_dataSource == *null*) {
*try* {
Context env = (Context) *new* InitialContext().lookup("java:comp/env");
_dataSource = (DataSource) env.lookup(+DATASOURCE_NAME+);
*if* (_dataSource == *null*)
*throw* *new* ServletException("`" + +DATASOURCE_NAME+ + "' is an unknown DataSource");
} *catch* (NamingException e) {
*throw* *new* ServletException(e);
protected *void *doGet(HttpServletRequest request, HttpServletResponse response)
throws IOException, ServletException
Connection conn = *null*;
*try* {
conn = getDataSource().getConnection();
Statement stmt = conn.createStatement();
ResultSet rs = stmt.executeQuery("select post_id,comments,postname from app.posts");
// out.println("Le résultat :<br>");
ArrayList <String> Lescomments= *new* ArrayList<String>();
ArrayList <String> Lesidentifiant = *new* ArrayList<String>();
ArrayList <String> Lesnoms = *new* ArrayList <String>();
*while* (rs.next()) {
Lescomments.add(rs.getString("comments"));
request.setAttribute("comments",Lescomments);
Lesidentifiant.add(rs.getString("post_id"));
request.setAttribute("id",Lesidentifiant);
Lesnoms.add(rs.getString("postname"));
request.setAttribute("nom",Lesnoms);
rs.close();
stmt.close();
*catch* (SQLException e) {
*finally* {
*try* {
*if* (conn != *null*)
conn.close();
*catch* (SQLException e) {
// les paramètres sont corrects - on envoie la page réponse
getServletContext().getRequestDispatcher("/Campaign.jsp").forward(request,response);
}///end of servlet
}///this is the jsp page called
<%@ page import="java.util.ArrayList" %>
<%
// on récupère les données
ArrayList nom=(ArrayList)request.getAttribute("nom");
ArrayList id=(ArrayList)request.getAttribute("id");
ArrayList comments=(ArrayList) request.getAttribute("comments");
%>
<html>
<head>
<title></title>
</head>
<body>
Liste des campagnes here i will create the xml file the problem is to display all rows
<hr>
<table>
<tr>
</tr>
<tr>
<td>Comment</td>
<td>
<%
for( int i=0;i<comments.size();i++){
out.print("<li>" + (String) comments.get(i) + "</li>\n");
}//for
%>
</tr>
<tr>
<td>nom</td>
<td>
<%
for( int i=0;i<nom.size();i++){
out.print("<li>" + (String) nom.get(i) + "</li>\n");
}//for
%>
</tr>
<tr>
<td>id</td>
<td>
<%
for( int i=0;i<id.size();i++){
out.print("<li>" + (String) id.get(i) + "</li>\n");
}//for
%>
</tr>
</table>
</body>
</html>
This is how i used to create an XML file in a JSP page only without JSP/SERVLET concept:
<%@ page import="java.sql.*" %>
<%@ page import="java.io.*" %>
<%
// Identify a carriage return character for each output line
int iLf = 10;
char cLf = (*char*)iLf;
// Create a new empty binary file, which will content XML output
File outputFile = *new* File("C:\\Users\\user\\workspace1\\demo\\WebContent\\YourFileName.xml");
//outputFile.createNewFile();
FileWriter outfile = *new* FileWriter(outputFile);
// the header for XML file
outfile.write("<?xml version='1.0' encoding='ISO-8859-1'?>"+cLf);
try {
// Define connection string and make a connection to database
Connection conn = DriverManager.getConnection("jdbc:derby://localhost:1527/SAMPLE","app","app");
Statement stat = conn.createStatement();
// Create a recordset
ResultSet rset = stat.executeQuery("Select * From posts");
// Expecting at least one record
*if*( !rset.next() ) {
*throw* *new* IllegalArgumentException("No data found for the posts table");
outfile.write("<Table>"+cLf);
// Parse our recordset
// Parse our recordset
*while*(rset.next()) {
outfile.write("<posts>"+cLf);
outfile.write("<postname>" + rset.getString("postname") +"</postname>"+cLf);
outfile.write("<comments>" + rset.getString("comments") +"</comments>"+cLf);
outfile.write("</posts>"+cLf);
outfile.write("</Table>"+cLf);
// Everything must be closed
rset.close();
stat.close();
conn.close();
outfile.close();
catch( Exception er ) {
%>

Please state your problem that you are having more clearly so we can help.
I looked at your code I here are a few things you might consider:
It looks like you are putting freely typed-in comments from end-users into an xml document.
The problem with this is that the user may enter characters in his text that have special meaning
to xml and will have to be escaped correctly. Some of these characters are less than character, greater than character and ampersand character.
You may also have a similiar problem displaying them on your JSP page since there may be special characters that JSP has.
You will have to read up on how to deal with these special characters (I dont remember what the rules are). I seem to recall
if you use CDATA in your xml, you dont have to deal with those characters (I may be wrong).
When you finish writing your code, test it by entering all keyboard characters to make sure they are processed, stored in the database,
and re-displayed correctly.
Also, it looks like you are putting business logic in your JSP page (creating an xml file).
The JSP page is for displaying data ONLY and submitting back to a servlet. Put all your business logic in the servlet. Putting business logic in JSP is considered bad coding and will cause you many hours of headache trying to debug it. Also note: java scriptlets in a JSP page are only run when the JSP page is compiled into a servlet by java. It does not run after its compiled and therefore you cant call java functions after the JSP page is displayed to the client.

401 Unauthorized after too many tables in AXL SQL Query

Hi...
I have an app that sends several AXL calls. All work fine with the exception of one accessing MGCP data via the AXL SQL QUERY command. I have found that if I only do a couple of tables it works fine, but if I had in more than 3 I get a 401 unauthorized return. Now, I know the commands are built correctly becuase its working for every other command in the set and like I said if I only do 3 or less tables the query works. Also, if I SSH into the CM locally and do run sql with the full command, it returns all tables fine, which leads me to believe this is a restriction in the return of the axl soap call...
Help?
I am using CM 6.0. The full query being passed in that returns 401 unauthorized is:
SELECT MGCP.pkid, MGCP.DomainName, TypeProduct.Name AS GatewayProduct, CallManagerGroup.Name AS CallManagerGroup, MGCPSlotConfig.Slot, TypeMGCPSlotModule.Name AS UnitModule, MGCPSlotConfig.Subunit AS SubUnitIndex, TypeMGCPVic.Name AS SubUnitProduct, TypeMGCPVic.MaxNumPorts, MGCP.VersionStamp, MGCP.SpecialLoadInformation FROM TypeMGCPVic RIGHT OUTER JOIN MGCPSlotConfig ON TypeMGCPVic.Enum = MGCPSlotConfig.tkMGCPVic LEFT OUTER JOIN CallManagerGroup RIGHT OUTER JOIN MGCP ON CallManagerGroup.pkid = MGCP.fkCallManagerGroup LEFT OUTER JOIN TypeProduct ON MGCP.tkProduct = TypeProduct.Enum ON MGCPSlotConfig.fkMGCP = MGCP.pkid LEFT OUTER JOIN TypeMGCPSlotModule ON MGCPSlotConfig.tkMGCPSlotModule = TypeMGCPSlotModule.Enum ORDER BY MGCP.DomainName, MGCPSlotConfig.Slot, UnitModule DESC, MGCPSlotConfig.Subunit"
Again, this works locally on the CM machine, it works if I pull back some of the tables... The AXL trace logs do not have errors, they just stop (with a return soap call that isnt passed back because 401 is recieved).
Thanks!

Here is the trace log. The return is there! It just never gets recieved.
2008-05-22 09:50:23,458 INFO [http-8443-Processor23] axl.AXLRouter - <?xml version="1.0" encoding="UTF-8"?>http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">http://www.cisco.com/AXL/API/6.0" xmlns:xsi="http://www.cisco.com/AXL/API/6.0" sequence="1">67a5af3c-878b-8dd3-2865-ca3ca007d2c22811-Test-VG1Cisco 2811Sub-Pub0NM-4VWIC-MBRD0VWIC2-1MFT-T1E1-T111209133478-fb3741a3-bb70-4013-90fa-734bea80f77267a5af3c-878b-8dd3-2865-ca3ca007d2c22811-Test-VG1Cisco 2811Sub-Pub0NM-4VWIC-MBRD1VWIC2-1MFT-T1E1-T111209133478-fb3741a3-bb70-4013-90fa-734bea80f77267a5af3c-878b-8dd3-2865-ca3ca007d2c22811-Test-VG1Cisco 2811Sub-Pub0NM-4VWIC-MBRD2VIC2-4FXO41209133478-fb3741a3-bb70-4013-90fa-734bea80f77267a5af3c-878b-8dd3-2865-ca3ca007d2c22811-Test-VG1Cisco 2811Sub-Pub0NM-4VWIC-MBRD3VIC-4FXS41209133478-fb3741a3-bb70-4013-90fa-734bea80f77243187db4-aa08-2141-a7eb-c865f45c5996Router.atrion.internalCisco 2811Pub-Sub0NM-4VWIC-MBRD0VWIC-2MFT-T121207845753-f4497a98-4ee7-42e7-9770-090898a52ca9eb492b1e-f238-ace9-3ffe-0a7b8765f364test-3845Cisco 3845Pub-Sub0NM-4VWIC-MBRD0VIC2-2MFT-T1E1-E121210884106-fa04b172-efe5-4ca0-9e44-1934af3fa7c6eb492b1e-f238-ace9-3ffe-0a7b8765f364test-3845Cisco 3845Pub-Sub0NM-4VWIC-MBRD1VIC2-2MFT-T1E1-E121210884106-fa04b172-efe5-4ca0-9e44-1934af3fa7c6
2008-05-22 09:50:23,461 INFO [http-8443-Processor23] axl.AXLRouter - Request 1211393338927 was process in 30ms

"SQL Query in HTTP Request" (5474:0)

Similar Messages

Maybe you are looking for