How to detect the SQL type to avoid SQL injection

Hello

I work in a company of gsm and we develop a program for analysis of trends. Users of this program can write SQL statements. I want to write sql statements specific as my program input statement (SELECT... from...). Instructions to SELECT most. I have dynamic SQL and PL/SQL blocks in my program. I get user-defined SQL statements and execute dynamic Sql code.

Here's the problem: I need to understant what type of SQL, they give as my program input parameter to avoid wrong operations (DELETE, TRUNCATE, DROP...)

First of all I thought to the RegExp to understant if a SELECT SQL or SQL DELETE...

Is there a recommended on this problem? Oracle has any procedure to detect?

Thank you

Hi a_yavuz,

We had to solve the same problem while we work a project that receives user sql statements, we check the sql as follows:

lb_bool: = regexp_like (upper (pv_sql),'^ (-() * *(SELECT|))) (WITH)');

Tags: Database

Similar Questions

How to detect the data type is?

Hello!

I built a function of VI. But I want to make it safe - function could detect what type of data is connected to the inputs and only allow certain types of data cabling. How can I do this?

Thank you

You could look in polymorphic VI. They will allow you to connect different types of data. However, it is not really an option to "do not allow" it.

If someone creates their own s VI in LabVIEW, then they should pay attention to details like the stress points. Other than provide good documentation describing the function, inputs and outputs of a Subvi, it's not really necessary for the creator of the Subvi to prevent another programmer to use this Subvi wrongly.

How to detect the window closing event and to do some tasks before leaving

Hello

Someone knows how to detect the window closing event and to do some tasks before leaving?

Sridhar

Structure of the event allows to detect the window closing event. In the structure of the event,.

Select this VI-> close round table for this task. See attached picture.

How to detect the sign of a number?

I output which gives the number of negative or positive. My problem is how to detect the sign of the Boolean number and output? For example if the input number is negative as - 23.11 I want to output the value false and if the number is positive as 17.99 I want to output true.

T H A N K S!

Test if the number is greater than or equal zero.

How to detect the key ALT pressed in os7

Hai,

How to detect the key ALT pressed in Os7...

Can I use the source for os 7 as below? ,

protected boolean keyStatus (int keycode final, time final int) {}

If (Keypad.key (keycode) == Keypad.KEY_ALT) {}

...

Returns true;

} else

Return super.keyStatus (keycode, time);

}

and also I want to know which is the return of this method? In detail
How to detect the other touches also?
What are the updations or changes in the code, on os6 os7?

KeyCode is a bit model, if you use "is" to compare you won't get accurate results, you should use the operator '& '.

See
http://supportforums.BlackBerry.com/T5/Java-development/detect-ALT-and-shift-key-clicks/Ta-p/444976

How to detect the number of created quickobjects

How to detect the number of quickobjects created? quickobject are quickbox2d.
Basically, I have a timer that will countdown to 4 seconds and it will create a falling ball, it will get removed when she falls down. However, I want only there so that if more than 5 bullets are in step, it will cease to create until it is less than 5 to start creating some balls again. Is there a way I can do?
It's the timer to create the ball
If (! _ballCreation_timer) {}
_ballCreation_timer = new timer (4000);
_ballCreation_timer.addEventListener (TimerEvent.TIMER, _onBallCreationTimer);
}
_ballCreation_timer. Start();
Function which create the ball based on clock
function _onBallCreationTimer (e:TimerEvent): void {}
_doCreateNewBall();
}
function _doCreateNewBall() {}
_ball_quickobject = sim.addCircle ({x: PHYSICS_SCALE * (960), y: PHYSICS_SCALE * (10), RADIUS: 0.5, draggable: false});
MAKE A LIST OF BALLS
_balls_array.push (_ball_quickobject);
}
This is the part where if the table (QuickObject) ball falls down and are destroyed
addEventListener (Event.ENTER_FRAME, _onEnterFrame);
DRAW EACH BALL FALLING OUT OF THE SCREEN
function _onEnterFrame (aEvent: Event): void {}
for each (var quickObject: QuickObject in _balls_array) {}
BALL FALLING OUT OF THE SCREEN?
If (quickObject.y / PHYSICS_SCALE > 1080) {}
_doHandleBallOffScreen (quickObject);
}
}
}
DESTROY THE BALL FALL OFF THE SCREEN IF
function _doHandleBallOffScreen (aQuickObject: QuickObject): void {}
DESTROY THE OBJECT
aQuickObject.destroy ();
REMOVE FROM THE CUSTOM TABLE
_balls_array.splice (_balls_array.indexOf (aQuickObject), 1);
}

check the length of _balls_array. If it is greater than 5, do not create another bullet:

If (! _ballCreation_timer) {}

_ballCreation_timer = new timer (4000);

_ballCreation_timer.addEventListener (IMER TimerEvent.T, _onBallCreationTimer);

}

_ballCreation_timer. Start();

Function which create the ball based on clock

function _onBallCreationTimer (e:TimerEvent): void {}

_doCreateNewBall();

}

function _doCreateNewBall() {}

If (_balls_array.length<>

_ball_quickobject = sim.addCircle ({x: PHYSICS_SCALE * (960), y: PHYSICS_SCALE * (10), RADIUS: 0.5, draggable: false});

MAKE A LIST OF BALLS

_balls_array.push (_ball_quickobject);

}

}

This is the part where if the table (QuickObject) ball falls down and are destroyed

addEventListener (Event.ENTER_FRAME, _onEnterFrame);

DRAW EACH BALL FALLING OUT OF THE SCREEN

function _onEnterFrame (aEvent: Event): void {}

for each (var quickObject: QuickObject in _balls_array) {}

BALL FALLING OUT OF THE SCREEN?

If (quickObject.y / PHYSICS_SCALE > 1080) {}

_doHandleBallOffScreen (quickObject);

}

}

}

DESTROY THE BALL FALL OFF THE SCREEN IF

function _doHandleBallOffScreen (aQuickObject: QuickObject): void {}

DESTROY THE OBJECT

aQuickObject.destroy ();

REMOVE FROM THE CUSTOM TABLE

_balls_array.splice (_balls_array.indexOf (aQuickObject), 1);

}

How to detect the color pages in a PDF file?

I use a plug-in of Acrobat C++ read/modify a PDF file.
I need to get the total number of pages in the PDF file and the page numbers of the pages in color.
So far, I was able to get the total number of pages using PDDocGetNumPages() with no problems.
However, I can't find an API that lets me know if a particular page is color or not. Is there a way to do this?
Thanks in advance!

But what happens if there are RGB data which means black or grey (R == G == B), that means black or RGB?

There is a code sample in the SDK to browse content in the PDF file, and then you can get the color space and color of each object.

But you really need to do background research on the colors & spaces to achieve this properly.

From: Sachintha81 [email protected]<>[email protected]>

Reply-To: "[email protected]<>[email protected]> ' [email protected]<>[email protected]>" "

Date: Wednesday, February 8, 2012 16:57:10-0800

To: Leonard Rosenthol [email protected]<>[email protected]>

Topic: How to detect the color pages in a PDF file?

Re: How to detect the color pages in a PDF file?

created by Sachintha81http://forums.adobe.com/people/Sachintha81> in Acrobat SDK - see the discussion complete onhttp://forums.adobe.com/message/4194889#4194889

How to import the .sql file in oracle apex?
I am new to oracle apex...

How to import the .sql file in oracle apex?

I have to import a table in apex...

This script I have to write in the .sql file...

pls help...

Published by: 794244 on January 31, 2011 21:31
Hi Manu

You can import and browse workshop SQL, SQL Scripts .sql files. If you have multiple SQL statements in your script, make sure that they are separated by the / character

Andy

How to detect the operating system to PDF using javascript

Hello
How to detect the operating system to PDF using javascript. (Javascript console)
Thanks in advance.

App.Platform will return "WIN", "MAC" or "UNIX".

How to get the SQL if I get exception
I get this exception and do not know what was the actual sql with the variables of liaison who was executed.

sqlmesg = error in the select query to retrieve the segment associated with a pair of cables: ORA-01006: there is no bind variable

y at - it a way to get the real sql executed so I know what mistake I did.
I thought your question was about how to view the SQL statement and bind variables in the exception. The answer to that is to put variables in the exception message.

The root cause of the problem seems to be that your dynamic SQL statement may require 3 or4 variable bind but your USING clause specifies always 4 values if the underlying SQL statement has 3 positions, it will lead to an error.

Justin

How to use the record type as a parameter IN PL/SQL procedure or package

Hi people,
I need help on the record as the OUT parameter type. I am able to get out a single line as a parameter, but not getting do not idea how to get a multi ranks as output parameter.
I have the code that works very well for a single line. Please see CODE1.
But when I try to get several lines, I'm failing to do. Please see the CODE2. I get the error of compilation as

Error report:
ORA-06550: line 11, column 35:
PLS-00487: Invalid reference to the variable "P_NAME.
ORA-06550: line 11, column 1:
PL/SQL: Statement ignored
06550 00000 - "line %s, column % s:\n%s".
* Cause: Usually a PL/SQL compilation error.
Any help or a sample execution of script would be really useful.
Thanks in advance.
YZ
--------------------------CODE1------------------------------------------
-------------------------Package Spec-------------------------------
CREATE OR REPLACE
PACKAGE xx_sample_pkg as
--
Xx_sample_table_rectype RECORD TYPE IS
(p_name varchar2 (40))
number of p_emp_id
);
PROCEDURE xx_sample_prc (xx_sample_rec1, OUT xx_sample_table_rectype);
END xx_sample_pkg;
------------------------------Package Body------------------------
create or replace
PACKAGE xx_sample_pkg AS BODY
--
PROCEDURE xx_sample_prc (xx_sample_rec1 OUT xx_sample_table_rectype) IS
BEGIN
SELECT ename, empno
IN xx_sample_rec1
FROM scott.emp
WHERE ename = 'SMITH ';.
END xx_sample_prc;
END xx_sample_pkg;
-------------------------------------------Execute----------------------
DECLARE
l_rec_type xx_sample_pkg.xx_sample_table_rectype;
BEGIN
dbms_output.put_line ('xx_sample_prc appeal');
xx_sample_pkg.xx_sample_prc (l_rec_type);
dbms_output.put_line ('YZ' | l_rec_type.p_name |') '|| l_rec_type.p_emp_id);
END;
---------------------------------------------------------------
-------------------------CODE2-------------------------------------------
-------------------------Package Spec-------------------------------
CREATE OR REPLACE
PACKAGE xx_sample_pkg as
--
Xx_sample_table_rectype RECORD TYPE IS
(p_name varchar2 (40))
number of p_emp_id
);
PROCEDURE xx_sample_prc (xx_sample_rec1, OUT xx_sample_table_rectype);
END xx_sample_pkg;
------------------------------Package Body------------------------
create or replace
PACKAGE xx_sample_pkg AS BODY
--
PROCEDURE xx_sample_prc (xx_sample_rec1 OUT xx_sample_table_rectype) IS
BEGIN
SELECT ename, empno
IN xx_sample_rec1
FROM scott.emp;
END xx_sample_prc;
END xx_sample_pkg;
-------------------------------------------Execute----------------------
DECLARE
l_rec_type xx_sample_pkg.xx_sample_table_rectype;
BEGIN
dbms_output.put_line ('xx_sample_prc appeal');
xx_sample_pkg.xx_sample_prc (l_rec_type);
for l_rec in 1.l_rec_type.p_name.count
loop
dbms_output.put_line ('YZ' | l_rec_type.p_name (l_rec) |) » '|| l_rec_type.p_emp_id (l_rec));
end loop;
end;
---------------------------------------------------------------

bb8c573a-6ca3-4d7c-90ed-e55c2df67201 wrote:

But now, my question would be why the record type could not be used? My understanding is missing some concept between use of type type array collection record vs. Please specify.

Do not confuse the folder with the collection.

SY.

How to escape text in the query pattern to avoid the SQL Injection
We plan to use Oracle Text to search for in a Java web application and use a query template as shown below, but are concerned about SQL Injection attacks. In general, we use a parameter query, but that does not seem possible with these search patterns. Is there advice or recommended to avoid SQL Injection when using query patterns - what characters need to be escaped or cleaned the entry user, etc? Or is there another approach to query patterns which does the same thing, but can use the settings?

Select (1) score, my_id from my_table where CONTAINS (search_dummy,
' < query >
< textquery lang 'grammar' = 'CONTEXT' = > dangerous search terms
< progress >
< seq > < rewriting > transform ((JETONS, "${", "}","")) < / rewrite > < / next >
< seq > < rewriting > transform ((JETONS, "${", "}",";")) < / réécrire > / suiv >))
< seq > < rewriting > transform ((JETONS, "${", "}", "AND")) < / rewrite > < / seq >
< seq > < rewriting > transform ((JETONS, "${", "}", "ACCUM")) < / rewrite > < / seq >
< / progress >
< / textquery >
< score datatype = "INTEGER" algorithm = "COUNT" / >
(< / query > ', 1) > 0
ORDER BY SCORE (1) DESC;

Thanks in advance for any help or advice!
You should be able to put the entire query to the CONTAINS clause argument in a variable binding. Prevent SQL injection. It is possible they could do 'contains the injection' and perform research of the else clause contains this as your intention, but unless you are relying on a part of contains the clause to implement security, that shouldn't be a problem.

How to call the procedure type table

Hi I have the below requirement

Created in the sub table type

CREATE or REPLACE the TYPE char_type IS the TABLE OF VARCHAR2 (4000);

create or replace procedure test_proc_type (p_type char_type) is

Start

I'm looping 1.p_type.count

dbms_output.put_line (p_type (i));

end loop;

end;

How to call the procedure with parameter as a type!

SQL> create or replace type  char_type as table of varchar2(4000)
  2  /

Type created.

SQL> create or replace procedure test_proc_type (p_type char_type)
  2  is
  3  begin
  4    for i in 1..p_type.count loop
  5      dbms_output.put_line (p_type(i) ) ;
  6    end loop;
  7  end;
  8  /

Procedure created.

SQL> set serveroutput on
SQL>
SQL> exec test_proc_type(char_type('A','B','C','D','E'))
A
B
C
D
E

PL/SQL procedure successfully completed.

SQL>

How to use the clause type conditionally create new lines

This question is just for learning - no object other than to start real world to create versions of some queries known to learn how to measure the performance of the MODEL clause clause of the MODEL versions.
The question is: How can you write a STANDARD clause that pivots (updates) ONLY the lines that actually need to rotate and do NOT change the lines that have no value and cannot be rotated.
I found a good site that has about two dozen example articles on different pieces. This first link is the beginning of the series.
SQL features tutorials - Clause TYPE
http://www.sqlsnippets.com/en/topic-11663.html
This link is to a clause of FAQ of BluShadow MODEL version "how to convert rows to columns."
Line - MODEL method string
http://www.sqlsnippets.com/en/topic-11987.html
The solution to this link uses this line of source:

POSITION KEY VAL

--- ---------- ----------

R08 0 v1, v2, v3,.

and this result set:

POSITION KEY VAL

--- ---------- ----------

R08 1 v1

R08 2 v2

R08 3 v3

The reason why it produces that result set is this clause of the statement of MODEL
RETURN THE UPDATED LINES
If you comment on this article, you will see that the original lines are all in position 0. This means that the solution reproduced EACH SOURCE LINE even if there is only one item in the list of values.
Thus, even a line source with a single value (for example, the r01 'a') will be updated and updated this line is returned.
For a large number of data sources with only a few lines that actually need to rotate it would be a great performance of infringement.
This is the sample data source

with t as (button 1, 'a' value 'abc' col2, col3 'def' of the double
Select Union all 2, 'b', 'ghi', 'jkl' from dual
Union all select 3, 'c, d, e, 'mno', 'pqr' from dual.
Union all select 4, 'f', 'stu', 'vwx' from dual
)
Select the key, value, col2, col3
t

KEY, VALUE, COL2, COL3
1, a, abc, def
2, b, GHI, jkl
3, "c, d, e, mno, pqr.
4, f, stu, vwx

Lines 1, 2 and 4 only have a value of (a, b, c respectively.
Only line 3 must rotate. It contains "c, d, e" and which must become 3 lines in the result set
Value of the key, col2 col3
1 an abc def
2B ghi jkl
3 c mno, pqr
3 d mno, pqr
3 e mno, pqr
4 f stu vwx
The nut of the problem is that if the clause 'RETURN UPDATED ROWS' is used, then the lines 1, 2 and 4 must be updated in order to be returned in the result set. And if this clause is NOT used, then line 3 must be updated by 'c', d, e 'c' and two new product lines: one line for a ' and one for 'e '.
How can you do this with the TYPE clause without the help of the clause "Return LINES UPDATE"? I don't have a solution to sample showing what I tried because I can't understand what it takes to even try.
I have a solution that uses "RETURN UPDATED ROWS" but I want to compare this performance to the exercise, when this clause is NOT used.
We ask BluShadow to add the solution of MODEL clause to this FAQ with other similar solutions.

Like this?

SQL > with t as
() 2
3 select the 1 key, 'a' val, 'abc' col2, col3 'def' of the double

Select 4 Union all 2, 'b', 'ghi', 'jkl' from dual
5 union all select 3, 'c, d, e, 'mno', 'pqr' from dual.
Select 6 Union all the 4 'f', 'stu', 'vwx' from dual
7)
8. Select the key
9, key_1
10, val
11, regexp_substr (val, ' [^,] +', 1, key_1) val_new
12, col2
13, col3
14 t
model 15
16 partition by (key)
dimension (1 key_1) 17
18 measures (val, col2, col3, (length (val) - length (replace (val, ",")) + 1) as len)
19 rules
(20)
21 val [for 1 to increment of len key_1 [1] 1] = val [1]
22, col2 [for 1 to increment of len key_1 [1] 1] = col2 [1]
23, col3 [for 1 to increment of len key_1 [1] 1] = col3 [1]
24)
25 order
26 by key
27, key_1;

KEY KEY_1 VAL VAL_N NECK NECK
---------- ---------- ----- ----- --- ---
1 1 has an abc def
2 b 1 b ghi jkl
3 1 c, d, e c mno pqr
3 2 c, d, e d mno pqr
3 3 c, d, e e mno pqr
4 1 f f stu vwx

6 selected lines.

How to filter the file type and size during uploadind files in APEX
Hello

I was wondering how I can do to validate the size of a file, before moving in my table? I want to filter the type of file, but for this one, I think I can use regular expressions in a validation process.

I don't know if there is a way to read the size of the file, even before sending it into the temporary table.

Thank you

Bodart
Hi salma,

As far as I KNOW, you need to create a validation APEX (PL/SQL Returns Boolean or returns error text), which interrogate the details of the table apex_flow_files file. Here you can get the file type and size etc.

So just to validate and if the validation fails, then delete the apex_flow_files and riase error message file.

Kind regards
Hari

P.S. Please note that, if there are other validations apex on your page, and if they fail, always apex will load the file in the apex_flow_files table. It is sensible to create a validation (PL/SQL) that will trigger (condition) when online validation errors occurred. Make sure it is the LAST commit on your page in the sequence. And here you can write code to delete the table apex_flow_files.

Published by: Hari_639 on Sep 20, 2012 22:09

How to detect the SQL type to avoid SQL injection

Similar Questions

Maybe you are looking for