Duncan Mein's Blog

Recently our test department raised a bug against one our applications that occurred when trying to insert a record into a table. The error message encountered was a fairly innocuous " ORA-01704: string literal too long ". Following the test case to the letter, I successfully generated the same error and located the table that the APEX form was inserting into. A quick check of the Data Dictionary confirmed that the column in question was of type VARCHAR2(10). At this stage, I though the obvious cause was that there was no limit on the APEX form item (a Text Area) of 10 characters. Having checked the item in question, not only was there a “ maxWidth ” value of 10, the text area had been created with a “ Character Counter ”. Strange then how a form item accepting 10 characters was erroring whilst inserting into a column of VARCHAR2(10). A little while later...... (after some head scratching and several discussions with our DBA’s and a colleague) the problem was all too clear. S

The following query is a very simple way of identifying all report columns within your APEX application that may be exposed by Cross Site Scripting (XSS). XSS allows an attacker to inject web script (JavaScript) into an application and when this is rendered in the report, the script is interpreted rather than rendered as text. To safe guard against this attack, APEX provides a "Display as Text (escape special characters)" report column attribute that can be applied to classic and Interactive Reports. This causes the script text to be displayed as text rather than interpreted by the browser. If you have any markup (HTML) within your query that the report is based on, this markup will also be displayed as text and not interpreted. I personally think this is a good by product as you should not really be coding look and feel into your raw SQL. Anyway I digress. Here is the query that will identify all vulnerable report columns within your APEX application: SELECT application_id

I have been using Oracle SQL Developer Data Modeller for a while now within a Windows XP environment. It seems pretty good (albeit a little slow but hey show some an Oracle Java client application that is quick. Oracle Directory Manager?, OWB Design Centre? I shall labour this point no more) and I was looking forward to trying it out on my new 27" iMac. I promptley downloaded the software from OTN and a quick read of the instructions suggested I need to do no more other than run the datamodeler.sh shell script since I already had Java SE 6 installed. As it turns out, the datamodeler.sh script in the root location does little more than call another script called datamodeler.sh found in the /datamodeler/bin directory which is the once you actually need to execute to fire up SQL Data Modeler When this script runs, it prompts you for a the full J2SE file path (which I had no idea where it was) before it will run. After a quick look around google and I came across the command: java_ho