Tuesday, January 15, 2008

Installing Oracle Database 11g Release 1

Oracle released a paper written by John Smiley. Learn the basics of installing Oracle Database 11g Release 1 on Oracle Enterprise Linux 5 from the bare metal up. I have gone true the document and it is quite a good basic guide on how to set up the system and do some tweaks to get things running nicely.

If you want to get a paper to guide you during the install this is a must read for all of you wanting to install oracle database 11g Release1.

Load Transportation Management Base Summary

When running the “Load Transportation Management Base Summary” concurrent request as part of your initial loading of Oracle DBI you can encounter the following errors:

Warning! DBI Weight Reporting UOM has not been set up.
Warning! DBI Volume Reporting UOM has not been set up.
Warning! DBI Distance Reporting UOM has not been set up.

To set the Weight, Volume and Distance reporting UOM you have to go to the “Daily Business Intelligence Administrator”. There navigate to Setup -> Supply Chain -> Reporting Units of Masure.

Here you can set the base reporting unit of measure for weight, volume and distance in Oracle Daily Business Intelligence.

Rerunning the concurrent request should now result in a normal completion.

Wednesday, January 09, 2008

Nintendo wii 3D option

A friend , Daan den Hollander, is running the weblog ourthoughtleaders.com and posted some information about Johnny Chung Lee who is associated to Carnegie Mellon, school of computer science. Johnny is doing some projects on the Nintendo wii and invented a way games should look in real 3D. By using a wii remote controle in a smart way and by coding a real 3D program he is able to make a very good 3D enviroment. For sure it is worth the time to watch.

Tuesday, January 08, 2008

FRM-40367 Query/Where function

An old and almost forgotten option in Oracle forms is the query/where function. This allows you to give your own “where” or “where and” clauses in your form. In basics you also could escape your select statement and do a SQL injection.

The intended functionality of the query/where is that you can write your own query for the form where you will not be limited to the fields that are represented in the form itself. You are basically limited to the columns of the tables that are noted down in the hardcoded part of the query. For example you could query for a user in the “system administrators” “users” screen by user_id which is standard not an option.

After you invoked the query/where screen and enter the following extension to the query: “user_id = 2071” if you want to view the information from the user with id 2071.

Because of the potential danger of SQL injection Oracle has removed this functionality, however as we are used to with Oracle it is not really removed only turned off. Meaning we can turn it on again which can be a big relieve when trying to figure something out in a test environment. Oracle has disabled this option by setting in $APPL_TOP/PUBTST21.env the following line:


When you change the TRUE value to FALSE and restart forms you will have the possibility to use the query/where option. You can use this by going to a forms screen and go to query mode (F11) now place a ‘:’ or ‘&’ character into one of the fields and execute the query (Ctrl + F11). Now you will be represented by a free query field as shown in the screenshot below.

An indication that the value of FORMS60_RESTRICT_ENTER_QUERY is still set to TRUE is that if you try to execute a search with one of the mentioned characters you will get a FRM-40367 error. FRM-40367: Invalid criteria in field XXX in example record.

Monday, January 07, 2008

SQL injection

SQL injection is a method where a attacker is inserting new statements into existing statements. Instead of inserting values as they are expected by the application they will try to create a escape out of the standard code and insert there own code in a way that it will be executed. Even do this is a very old technique it turns out that still thousands and thousands of web applications are vulnerable to SQL injection.

In basis it can be said that a SQL injection possibility is due to bad coding. When SQL injection was quite new it could be very hard in some cases to close a possible SQL injection vulnerability. At this moment there are so many standard ways of making sure that a client will send you what you expect him to send and make sure he is not able to "break out" of a web application that this is no longer a excuse.

Even do it is quite standard to test your application on this, and other, possible security vulnerabilities it is handy to have some documentation ready and read them so you can even gain a better understanding of this technique and how to prevent it from happening.

Before cleaning them up from my desk I like to share some of documents I will be shredding and which I found quite good in getting the basic understanding of SQL injection. The best way however is trying to hack into (your own) web-applications. Trying to find the possibilities, the loopholes and the way to close them.

A good read is:

Advanced SQL Injection in SQL Server Applications:
"This document discusses in detail the common 'SQL injection' technique, as it applies to the popular Microsoft Internet Information Server/Active Server Pages/SQL Server platform. It discusses the various ways in which SQL can be 'injected' into the application and addresses some of the data validation and database lockdown issues that are related to this class of attack. The paper is intended to be read by both developers of web applications which communicate with databases and by security professionals whose role includes auditing these web applications."

An Introduction to SQL Injection Attacks for Oracle Developers:
"Most application developers underestimate the risk of SQL injections attacks against applications that use Oracle as the back-end database. Our audits of custom web applications show many application developers do not fully understand the risk of SQL injection attacks and simple techniques used to prevent such attacks. This paper is intended for application developers, database administrators, and application auditors tohighlight the risk of SQL injection attacks and demonstrate why web applications may be vulnerable. It is not intended to be a tutorial on executing SQL attacks and does not provide instructions on executing these attacks."

SQL Injection:
"SQL injection is a technique for exploiting web applications that use client-supplied data in SQL queries, but without first stripping potentially harmful characters. Despite being remarkably simple to protect against, there is an astonishing number of production systems connected to the Internet that are vulnerable to this type of attack. The objective of this paper is to focus the professional security community on the techniques that can be used to take advantage of a web application that is vulnerable to SQL injection, and to make clear the correct mechanisms that should be put in place to protect against SQL injection and input validation problems in general."

Sunday, January 06, 2008

Microsoft reporting services

Some time ago when I was working at a previous employee I was part of a team who was evaluating some business intelligence solutions. One of the systems we where evaluating was Microsoft reporting services, to get a good understanding of the system I did some trials, installed the system on a test server and played around with it. Also I have printed a lot of documentation to get a good read about things.

Now cleaning up my office, I am working on that project already for a long time, I (re)found those prints and to make sure I can find them back and give you the change to also find them online in case you are looking at Microsoft reporting services I have decided to post a little explanation about them and some links.

The first paper is about Phillip Morris International and a BI implementation from Microsoft.:

"With 40,000 employees servicing markets in more than 160 countries around the world, PMI is continually monitoring a complex array of business data to drive its ongoing success. To continue its leadership in a rapidly changing global market, PMI’s corporate executives and worldwide market managers needed a solution to speed and improve access to consistent sales data across the global organization. They wanted to more quickly access business performance data at the corporate level, and to implement a consistent method for reporting and analyzing information across many different local markets and product brands."

The second paper is about "Business Intelligence and Data Warehousing in SQL server 2005" and is discussing the possibilities of sql server 2005 and BI solutions. They also provide some coding examples and it is generally a good introduction paper to this subject.

The third paper is from Progressive Strategies and is named "Comparing Business Intelligence Platfroms". A short introduction to the paper:

"This white paper compares the features of Microsoft® SQL Server™ 2000 Analysis Services, IBM DB2 OLAP Server 8.1, and Hyperion Essbase 6.5. As you'll learn, Analysis Services has functionality that compares favorably against other offerings such as IBM DB2 OLAP Server 8.1 and Hyperion Essbase 6.5. SQL Server 2000 Analysis Services and Hyperion Essbase 6.5 lead the industry in online analytical processing (OLAP), according to The OLAP Report (www.olapreport.com), and Microsoft has taken a clear lead in the marketplace over Hyperion and the other vendors (Figure 1 OLAP Market Share Page 2). According to The OLAP Report, this lead is sure to increase in 2003. Customers1 such as MGM Mirage, Starbucks Coffee, and Comp USA have adopted Analysis Services to gain competitive advantages in their respective businesses. Numerous independent software vendors (ISVs), including Ascential Software, Brio Software, Cognos, ProClarity Corporation, Sagent Technology, and Business Objects, have implemented solutions on Analysis Services. It is a more modern, flexible, scalable, and usable OLAP database than Essbase or DB2."

From my short experience with reporting services I have to say that it is a real good product from Microsoft and that I really like working with it. I have plans to start gaining some more knowledge on this platform an will report about it on this weblog even do it is not Oracle or UNIX/Linux related :-)

Wednesday, January 02, 2008

Oracle Fusion Middleware 11g Technology Previews

Oracle Fusion Middleware 11g Technology Previews are presented on the oracle website. You can take a peak at SOA suite, Webcenter, Toplink and Oracle containers for JEE. Also you will be able to view some demo's and download the new jDeveloper here.

There are online demo's for jDeveloper about which can be found here:

- Java Enterprise Edition 5.0 Application Development with Oracle JDeveloper
- Rich Client (Ajax) JSF Development in Oracle JDeveloper
- JPA Development in Oracle JDeveloper
- Updated SubVersion Support New
- Web Services Development in Oracle JDeveloper
- WSDL Editor New Features New
- JavaScript Development in Oracle JDeveloper
- Data Visualization and Graphs for JSF
- Geographical Maps and Pivot Table JSF Components New
- Developing Geographical Maps and Pivot Tables New
- The Gantt Chart Component New
- JSF Page Templating
- Oracle ADF Controller - Extending the JSF controller layer
- ADF Business Components - List Of Values
- ADF Business Components - LOV Driven UI

Blogging a full year

One full year of blogging...... Started in 2006 I now have finished a complete year of blogging,... the year 2007. For those who are intereseted i have placed the visitor results here (2006 and 2007):