Posts

Native String Aggregation in 11gR2

A fairly recent requirement meant that we had to send a bulk email to all users of each department from within our APEX application. We have 5000 records in our users table and the last thing we wanted to do was send 5000 distinct emails (one email per user) for both performance and to be kind on the mail queue / server. In essence, I wanted to to perform a type of string aggregation where I could group by department and produce a comma delimited sting of all email address of users within that department. With a firm understanding of the requirement, so began the hunt for a solution. Depending on what version of the database you are running, the desired result can be achieved in a couple of ways. Firstly, the example objects. CREATE TABLE app_user (id NUMBER ,dept VARCHAR2 (255) ,username VARCHAR2(255) ,email VARCHAR2(255) ); INSERT INTO app_user (id, dept, username, email) VALUES (1,'IT','FRED','fred@mycompany.com'); INSERT INTO app_user (id, dept, username, em...

A Right Pig's Ear of a Circular Reference

If you have ever used a self referencing table within Oracle to store hierarchical data (e.g. an organisations structure), you will have undoubtedly used CONNECT BY PRIOR to build your results tree. This is something we use on pretty much every project as the organisation is very hierarchy based. Recently, the support cell sent the details of a recent call they received asking me to take a look. Looking down the call, I noticed that the following Oracle Error Message was logged: "ORA-01436: CONNECT BY loop in user data" A quick look at the explanation of -01436 and it was clear that there was a circular reference in the organisation table i.e. ORG_UNIT1 was the PARENT of ORG_UNIT2 and ORG_UNIT2 was the PARENT of ORG_UNIT1 . In this example, both ORG_UNITS were the child and parent of each other. Clearly this was an issue which was quickly resolved by the addition of a application and server side validation to prevent this from re-occurring. The outcome of this fix was ...

Pen Test Tool for APEX

Just a quick plug for a cool Penetration Test tool that we have been using on-site for a few months now. The application is called: Application Express Security Console and developed by a company called Recx Ltd This can be used to identify areas of you APEX applications that are vulnerable to: SQL Injection, XSS as well as inadequate access control etc. It kindly suggests ways in which the vulnerability can be addressed as well. We have built the use of this into our formal release process now and has definitely proved value for money to organisation.

Beware of the Byte

Recently our test department raised a bug against one our applications that occurred when trying to insert a record into a table. The error message encountered was a fairly innocuous " ORA-01704: string literal too long ". Following the test case to the letter, I successfully generated the same error and located the table that the APEX form was inserting into. A quick check of the Data Dictionary confirmed that the column in question was of type VARCHAR2(10). At this stage, I though the obvious cause was that there was no limit on the APEX form item (a Text Area) of 10 characters. Having checked the item in question, not only was there a “ maxWidth ” value of 10, the text area had been created with a “ Character Counter ”. Strange then how a form item accepting 10 characters was erroring whilst inserting into a column of VARCHAR2(10). A little while later...... (after some head scratching and several discussions with our DBA’s and a colleague) the problem was all too clear. S...

APEX - Identify Report Columns Vulnerable to XSS

The following query is a very simple way of identifying all report columns within your APEX application that may be exposed by Cross Site Scripting (XSS). XSS allows an attacker to inject web script (JavaScript) into an application and when this is rendered in the report, the script is interpreted rather than rendered as text. To safe guard against this attack, APEX provides a "Display as Text (escape special characters)" report column attribute that can be applied to classic and Interactive Reports. This causes the script text to be displayed as text rather than interpreted by the browser. If you have any markup (HTML) within your query that the report is based on, this markup will also be displayed as text and not interpreted. I personally think this is a good by product as you should not really be coding look and feel into your raw SQL. Anyway I digress. Here is the query that will identify all vulnerable report columns within your APEX application: SELECT application_id...

Oracle SQL Developer on OS X Snow Leopard

I have been using Oracle SQL Developer Data Modeller for a while now within a Windows XP environment. It seems pretty good (albeit a little slow but hey show some an Oracle Java client application that is quick. Oracle Directory Manager?, OWB Design Centre? I shall labour this point no more) and I was looking forward to trying it out on my new 27" iMac. I promptley downloaded the software from OTN and a quick read of the instructions suggested I need to do no more other than run the datamodeler.sh shell script since I already had Java SE 6 installed. As it turns out, the datamodeler.sh script in the root location does little more than call another script called datamodeler.sh found in the /datamodeler/bin directory which is the once you actually need to execute to fire up SQL Data Modeler When this script runs, it prompts you for a the full J2SE file path (which I had no idea where it was) before it will run. After a quick look around google and I came across the command: java_ho...

Generate Days in Month (PIPELINED Functions)

This cool example is not one I can take the credit for but since it is used pretty heavily in our organisation, I thought I would share it as it's not only pretty cool buy also demonstrates how useful Oracle Pipelined functions can be. In essence a Pipeline table function (introduced in 9i) allow you use a PL/SQL function as the source of a query rather than a physical table. This is really useful in our case to generate all the days in a calendar month via PL/SQL and query them back within our application. To see this in operation, simply create the following objects: CREATE OR REPLACE TYPE TABLE_OF_DATES IS TABLE OF DATE; CREATE OR REPLACE FUNCTION GET_DAYS_IN_MONTH ( pv_start_date_i IN DATE ) RETURN TABLE_OF_DATES PIPELINED IS lv_working_date DATE; lv_days_in_month NUMBER; lv_cnt NUMBER; BEGIN lv_working_date := TO_DATE(TO_CHAR(pv_start_date_i, 'RRRRMM') || '01', 'RRRRMMDD'); lv_days_in_month := TRUNC(LAST_DAY(lv_working_date)) - TRUNC(lv_work...