Reduce code SQL injection when forced to use substitution variables, as

Similar Questions

• How to use substitution variables, as in Microsoft Word using Hyperion Smart view

  Can we use the Substitution Variables to copy data points and cool off in Microsoft Word? I tried and it does not dynamically (copy the data points only copies what was in excellent cell right there). It copies only the static value of this variable for this cell. I want to use dynamically in Word so that if I change the value of this variable in Essbase, it is updated in Word on refresh. Any idea?

  We need this notification feature in microsoft word and keep using data points every year (instead of copy the cells of excellent on new)

  Any help or suggestion is appreciated.

  Thank you

  You may not use substitution variables, as with the copy data points. I tried a while back (after 111.1.2.1.102) and it wouldn't work.  I checked with Oracle development and they said that I is not available

• Business rule - unable to name the text data using substitution variables

  Hello
  
  I can't assign a value of text stored in a variable substitution. I read the posts that you can't assign string values I just want to check if it was possible using substitution variables.
  
  For example.,.
  
  Trouble (scenario, Version and year)
  
  "Test year".
  (
  "Test year" = &;
  );
  
  EndFix
  
  & those is a substitution variable whose value is "FY13.
  
  Please advice.
  
  Thanks, Cz

  The same rules apply, you must apply a numerical value, because this is what is stored in essbase data compared to the intersection.

  See you soon

  John
  http://John-Goodwin.blogspot.com/

• SQL injections. If I use Muse are these impossible?

  If I use Muse to design my new website is it still possible to be hack by someone using injections of SGL?

  Hello

  in case you still need to answer,

  SQL injection is majorly attacked sites when it comes to DB. Up to now, Muse generates static sites, means no interaction with the database or not dynamic content. You need to export the site in html format, then make changes in the code, if you want to include a database or any other dynamic content. Once you do this, you can try the firewalls and detection mechanisms similar intrusion that offer little defense against web attacks on a large scale.

  I hope this helps.

• Insert data to DB avoiding code SQL injection

  Hello

  I used the following method to insert data to DB

  (1) I had a 'DB-Helper class' and that I have the following function

  void dbHelper::createOrUpdateRecord(const QString Insertquery) {
      QSqlDatabase database = QSqlDatabase::database();
      QSqlQuery query(database);
      query.prepare(Insertquery);
  
      if (query.exec()) {
         alert(tr("Record created"));
      } else {
          const QSqlError error = query.lastError();
          alert(tr("Create record error: %1").arg(error.text()));
      }
      database.close();
  }
  

  (2) where I want to insert data to DB I created the query to insert the string and pass the string as a parameter to the function above

  createOrUpdateQuery =("INSERT INTO tutorial (title,titleArabic,shortDesc,shortDescArabic,description,descriptionArabic,externalLink,tutorialId,isActive) VALUES(\""
  + map.value("title").toString() + "\", \""
  + map.value("titleArabic").toString() + "\",\""
  + map.value("shortDesc").toString() + "\",\""
  + map.value("shortDescArabic").toString() + "\",\""
  + map.value("description").toString() + "\",\""
  + map.value("descriptionArabic").toString() + "\",\""
  + map.value("externalLink").toString() + "\",\""
  + map.value("tutorialId").toString() + "\",\""
  + map.value("isActive").toString() + "\" )");
          }
  
  dbHelp.createOrUpdateRecord(createOrUpdateQuery);
  

  I read that this method also causes Sql Injection.And using this method we can insert only string as data values.

  My question is:

  I read that the best method to insert data using "bind." So, if Iam trying to use the 'bind' method then I won't be able to make integration to db as a generic function. Is this possible. Please help me to do the insertion of data in db as a generic fn

  I didn't test this, but it might give you an idea:

  sql = "INSERT INTO tutorial (title,titleArabic,shortDesc,shortDescArabic,description,descriptionArabic,externalLink,tutorialId,isActive) "
  + "VALUES(:title, :titleArabic, :shortDesc, :shortDescArabic, :description, :descriptionArabic, :externalLink, :tutorialId, :isActive)"
  
  createOrUpdateRecord(sql, map);
  
  void dbHelper::createOrUpdateRecord(const QString Insertquery, QMap paramMap {
      QSqlDatabase database = QSqlDatabase::database();
      QSqlQuery query(database);
      query.prepare(Insertquery);
  
      QMap		   

• Web Forms using substitution variables with multiple values

  Hello
  
  I'm trying to select a substitution variable in a WebForm (Hyperion Planning 11.1.1.3) with multiple values in environmental assessments, but does not does someone knows if this expected behavior.
  
  I already try.
  
  & month = "Jan", "Feb", "Mar".
  & month = Jan, Feb, Mar
  & month = Jan: Mar
  
  Please let me know something, since I remember in previous versions of Hyperion Planning it was possible.
  
  Kind regards

  Reading of:- Re: use of the Variables of Essbase alternative forms of planning

  See you soon

  John
  http://John-Goodwin.blogspot.com/

• Display reduced on the TV when it is used as a computer screen size, the screen works ok when it is used as a TV

  Original title: screen

  I plugged my comp. to my t.v. screen to use as a monitor worked fine for long time, now it's half, it was because of a black line on each side of the screen, he disobeys when I spend watching the t.v. If anyone can help please make it simple as I'm not much on comp.problems, thank

  I plugged my comp. to my t.v. screen to use as a monitor worked fine for long time, now it's half, it was because of a black line on each side of the screen, he disobeys when I spend watching the t.v. If anyone can help please make it simple as I'm not much on comp.problems, thank

  Change the resolution and screen update to match the recommended/native resolution televisions for these connections.
   
  Depends on the TV.

• Loading data using Substitution variables

  Variable substitution can be used in data loading rules EssBase.

  In the header and the definition of field - http://download.oracle.com/docs/cd/E17236_01/epm.1112/esb_dbag/dotcreat.html#dotcreat1053369

  See you soon

  John
  http://John-Goodwin.blogspot.com/

• Using substitution variables to remove the columns of v11.1.2.1

  We have several forms that have the version 11.1.1.1 the & FcYear (projected year) and periods of time in the direction of the column. For periods of time, I select:
  & Mth01
  & Mth02
  & Mth03
  & Mth04
  & Mth05
  & Mth06
  & Mth07
  & Mth08
  & Mth09
  & Mth10
  & Mth11
  & Mth12
  Yeartotal
  
  Currently all the & Mth vars are on Nov except for & Mth12 tends to decrease. What which reached in V11.1.1.1 is a form where the actual months disappear to the & FcYear year door. In other words, in V11.1.1.1 a form designed like that, now only shows Nov, Dec and YearTotal for FY11. However in V11.1.2.1 it displays Nov 11 times, and then decrease, then YearTotal!
  
  So my question is: are there at - it a setting I'm missing in the forms V11.1.2.1 Designer to say the form to remove repetitions?
  
  See you soon
  
  Published by: user964802 on November 2, 2011 14:40

  Hello
  It is a correction of a bug. Take a look at the post below:
  Re: Working capital forecast form design (column replication as a data)

  See you soon,.
  Alp

• How to escape text in the query pattern to avoid the SQL Injection

  We plan to use Oracle Text to search for in a Java web application and use a query template as shown below, but are concerned about SQL Injection attacks. In general, we use a parameter query, but that does not seem possible with these search patterns. Is there advice or recommended to avoid SQL Injection when using query patterns - what characters need to be escaped or cleaned the entry user, etc? Or is there another approach to query patterns which does the same thing, but can use the settings?
  
  Select (1) score, my_id from my_table where CONTAINS (search_dummy,
  ' < query >
  < textquery lang 'grammar' = 'CONTEXT' = > dangerous search terms
  < progress >
  < seq > < rewriting > transform ((JETONS, "${", "}","")) < / rewrite > < / next >
  < seq > < rewriting > transform ((JETONS, "${", "}",";")) < / réécrire > / suiv >))
  < seq > < rewriting > transform ((JETONS, "${", "}", "AND")) < / rewrite > < / seq >
  < seq > < rewriting > transform ((JETONS, "${", "}", "ACCUM")) < / rewrite > < / seq >
  < / progress >
  < / textquery >
  < score datatype = "INTEGER" algorithm = "COUNT" / >
  (< / query > ', 1) > 0
  ORDER BY SCORE (1) DESC;
  
  Thanks in advance for any help or advice!

  You should be able to put the entire query to the CONTAINS clause argument in a variable binding. Prevent SQL injection. It is possible they could do 'contains the injection' and perform research of the else clause contains this as your intention, but unless you are relying on a part of contains the clause to implement security, that shouldn't be a problem.

• Blocker of SQL Injection

  Hello all-
  
  I have a server with a large number of ColdFusion templates (out of 10,000) I need really to protect agains SQL Injection.
  
  I know that CFQUERYPARAM is the best way to do it. I would like to do this way, but with so many pages and so many requests that it would take weeks/months to resolve queries, perform a test to ensure that something I don't screw up.
  
  
  So, I came up with a plan that I wanted to get feedback on.
  
  Currently, I have a page on my server included in almost every page that is running. It's a simple page that I can edit to change the State of my system in the case of a change in database, or another kind of failure. (Pages are still running, but no update is allowed, read-only)
  
  
  Okay, so on this page which is always included, I thought to analyze the variables that come more. I was thinking about looking for things that looked like a SQL injection attack and blocking of the page of the race.
  
  
  I wanted to know if this could work someone ' a has any ideas? It would be great because I could protect the entire server in about an hour. But I don't want to give me a false sense of security if it really won't do the job.
  
  

  First of all, here are a few simple things you can do to protect all pages before you follow the other tips and plans in this thread:

  1. In the CF administrator, click your data sources, click the button "Advanced".
     It, you you uncheck everything except the read and stored procedure and (optionally) write permissions. 'Drop', 'Create', etc., are defined n - n here.
  2. If you haven't already done so, make a data source-read only permissions and refactor your code to use it everywhere with the exception of the deletions, insertions and updates carefully separated.
  3. Now, in SQL Server, remove all the permissions of the users who used with the exception of data_reader and (selective) writing data and exec on procedures or functions that you use.
  4. In SQL server, configure at least two users of CF. We, should have only the permission of data_reader (more than read-only stored procedure).
  5. Find articles, like this one: http://www.sqlservercentral.com/columnists/bknight/10securingyoursqlserver.aspand follow their advice, start by locking xp_cmdshell.

  These measures require the CF code changes little or not, but will be blocking all but the most determined and skilled hackers. You should always follow the advice of good Adam.

  BTW, Dan is very bad, ALL DB are vulnerable to code SQL injection.
  SQL server is not the most vulnerable (studies show that Oracle now has this "honour").

• Cannot use the #A01 substitution variable # in dynamic list

  Greetings...

  I want to generate a dynamic list on the page.  The list will contain an indicator that specifies whether or not the entry in the list is in fact hidden from the user.  If it is hidden to the user, then I want to apply a particular to this entry from the list class when rendering.

  The dynamic list has the following SQL code:

  SELECT null lvl,
         menu.menu_nm label_value,
         q'!javascript:$s('P32_MASTER_MENU_ID', '!' ||
            menu.menu_id || q'!');!' target_value,
         null image,
         null image_attribute,
         null image_alt_attribute,
         case when menu.hidden = 'Y'
                then 'class="hiddenNode"'
                else null end attribute1
  from ( select 'N' hidden, vis.* from std_vw_apex_menu vis
          union all
         select 'Y' hidden, hid.* from std_vw_apex_menu_hidden hid ) menu
  where menu.menu_ty = 'MAINMENU'
  order by menu.sort_order
  

  I then use a list template with the following as the entrance to the "current": list

  <li class="active"><a href="#LINK#"><span #A01#>#TEXT#</span></a></li>
  

  ... and list the following as the "Non-Current" entry:

  <li><a href="#LINK#"><span #A01#>#TEXT#</span></a></li>
  

  I see in the rendered however page result is that substitution does not, as it is shown in the following snippet:

  <li><a href="javascript:$s('P32_MASTER_MENU_ID', '18893191201');"><span #a01#="">Education</span></a></li>
  

  We are on ApEx 4.2.1.  What I'm doing wrong as I've seen other threads indicate that it is possible for dynamic lists to use substitution variables, as in their list templates.

  Shane.

  I found the solution to the attribute replacement does not not in the models of dynamic lists.

• Using a Variable for dataProvider Information

  I'm trying to use a variable to populate the dataProvider for printing. I pulled the example in Flex 3: training from the source book. When I try to use a variable, I get a Flash Player error, indicating that the provider is not defined. Is anyone know the correct such way to make it work?
  
  Here is the code:
  
  private void doPrint(event:Event):void {}
  
  selection = event.currentTarget.id + "s.dataProvider"
  
  var pj:FlexPrintJob = new FlexPrintJob();
  
  If (PJ. Start()! = true)
  {
  return;
  }
  
  var myPrintView:PrintView = new PrintView();
  this.addChild (myPrintView);
  myPrintView.myPrintDG.showHeaders = false;
  myPrintView.myPrintDG.rowHeight = 18;
  myPrintView.contact.text = "username:"+ uname;»
  myPrintView.myPrintDG.dataProvider = "(select)";
  pj.addObject (myPrintView);
  PJ. Send();
  removeChild (myPrintView);
  }
  
  
  This is the line I need to work: myPrintView.myPrintDG.dataProvider = "(select)";
  
  If I replace "(selection)" with roles.dataProvider, it works fine. I think it's just a matter of syntax. If you look at the previous line, I use a variable for the user name and which works very well.
  
  Any help would be greatly appreciated.
  
  Dave
  

  "Kurrykid" wrote in message
  News:g6vsnc$LPs$1@forums. Macromedia.com...
  > I'm trying to use a variable to populate the dataProvider for printing. I have
  > supported on the example of the Flex 3: training from the source book.
  > When I
  > try using a variable, I get a Flash Player error, indicating that the
  > provider is
  > undefined. Does anyone know the correct way to this guy while he
  > works?
  >
  > Here is the code:
  >
  > private void doPrint(event:Event):void {}
  >
  > selection = event.currentTarget.id + "s.dataProvider"

  VR;

  selection = this [event.currentTarget.id +' is] .dataProvider;

  HTH;

  Amy

• Business rule can use replacement variables in Essbase?

  Hi all
  
  I use Hyperion Essbase, EAS and planning with the version 9.3.1.
  
  1 can. business rule we use replacement variables in Essbase?
  
  2. how to update the rule of business planning workspace changes?
  
  See you soon,.
  Simon

  Hello

  Yes you can use substitution variables, as calc scripts use the ampersand & and name of the variable, for example & CurrYr

  I don't know what you mean by the second question, if you make changes to the business rules in the environmental assessments, so that all you have to do, planning of calls is the same repository for information of business rule.

  See you soon

  John
  http://John-Goodwin.blogspot.com/

• Prevents SQL injection - cannot use cfqueryparam in this case

  Hello. I have a form with a checkbox next to each line.  If the user checks certain boxes, then click on the "Delete" button, I want to run the following query, but I want to protect from sql injection attacks:

  < cfquery datasource = "#application.mainDS #" >
  Remove userMessages
  where messageID in (#form.messageID #)
  < / cfquery >

  As written above, it works fine.  But if I try to protect this code with < cfqueryparam value = "" #form.messageID # "cfsqltype ="cf_sql_varchar">, I get this error:"Conversion failed when you convert the value '7.21' int data type varchar"(7 and 21 are the messageID to delete)."  Of course the comma prevents the conversion of an integer.
  

  If I use cfsqltype = "cf_sql_integer", the string is converted to a single integer (in this case 40015, which is nonsense).

  I tried from form.messageID to a stored procedure, but I seemed to have the same problem here.  I was able to execute the query in a loop where I just want to remove a line at a time, but I want run a query if I can do it safely.  Any ideas?

  Thank you.

  PK

  You just need to add the 'list' attribute to cfqueryparam to indicate that the 'value' contains multiple messageID.