This week’s missive is coming to you from the netbook. Deb and I have pushed the boat out this year and we’re currently in Canada for our holiday.
This has nothing at all to do with Oracle External Tables, but does explain the flavour of the examples that follow. Continue reading →
Deb has come to the conclusion that, when on a long car journey, I’m not a great passenger.
“Are we nearly there yet ?” I enquire politely…usually around five minutes into a four-hour journey.
“No, not yet”, comes the patient reply.
“Are we almost nearly there yet ?”
“No, I’ll let you know when we are”, she responds with iron patience.
A few minutes pass…
“Are we almost nearly almost there ?”
At this point, I’m usually offered the option of walking the rest of the way.
It’s the same with long-running programs on the database. I want to know how far it’s gone and how far it’s got to go.
Oh, what Deb would do for an in-car equivalent of DBMS_APPLICATION_INFO.
Deb would probably have some sympathy with the DBA who gets a call from a user who has a process running and is, essentially, asking “are we nearly there yet ?”
Fortunately, with a bit of foresight and the judicious application of a little DBMS_APPLICATION_INFO magic, the answer to this question is right there in V$SESSION, or even V$SESSION_LONGOPS. Continue reading →
Regular readers of this blog ( hello Mum) will have noticed that I’ve been a bit quiet lately.
Having tired of my life of leisure, I now have a proper job and have consequently been a little bit busy.
I have though, had time to reflect on the question of Oracle database upgrades and why they are never ever standard.
“We’ve decided to upgrade the database”. Those words are bound to strike equal amounts of anticipation and abject terror into the heart of any DBA…or at least, any DBA who has gone through an upgrade before.
To be fair, it’s not the upgrade itself that is going to cause the problem, it’s all of the misconceptions that come with it.
The CIO/IT Manager/Project Manager is almost bound at some point to come out with one of the following gems :
“We don’t need to test, the application code will still work in exactly the same way”
“We need to upgrade/move our servers/Application/Operating System anyway so we can do it all at the same time to minimize downtime.”
“According to the salesman Oracle can now make the tea, so it must be true.”
My personal favourite is from a person who shall remain nameless :
“We want to be fast-followers. X team is upgrading their database in July so we should be done by June”. Continue reading →
Whilst we’ve been able to establish that the PL/SQL solution we implemented does not suffer the same vulnerability to injection as the concatenated SQL statement, this does lead us to a further question – does using PL/SQL automatically render us immune from injection attacks ?
For the purposes of this post, I’m going to leave PHP to one-side and concentrate on the PL/SQL side of the matter. Continue reading →
My son, Michael ( yes, it is the only name I can spell), is currently following in his father’s footsteps and studying Computer Science.
As is only natural, he does occasionally have the urge to rebel against all that his parents hold dear. In his case he’s rejected the path of light and Linux and has become … a Microsoft Certified Professional. Oh the shame. Where did I go wrong ?
All of which links, if somewhat tenuously, to the subject at hand. When he took his first steps into the world of programming, we had a look at PHP ( as part of a LAMP set-up, naturally).
In one of the introductory manuals, we came across an example of how to authenticate web users against a database.
The author was clearly trying to introduce various language concepts and would certainly not claim that his example was intended for production use. However, with a bit of tweaking for use against an Oracle database, it does offer a very clear illustration one area of the potential vulnerabilities of web applications to SQL Injection attacks. It also offers the opportunity to illustrate a major benefit of using bind variables in queries against Oracle – i.e. protection against SQL Injection.
I know that a fair few people who stumble across this site are new to Oracle and want to play around with Oracle XE. These people are also usually pretty experienced in other technologies (hi Wayne, hope you’re still enjoying all that sunshine).
So, the purpose of this post is to :
Illustrate the way in-line SQL statements can be injected
Show how this can be countered in an Oracle database by use of bind variables
Have a look at letting Oracle handle user authentication
Celebrate the visionary genius of Messrs Young, Young and Johnson. “For Those About to Rock” was not merely an album of raucous Blues-based Heavy Metal, but a prophecy about the potential pitfalls of Web Application development.
Oh, and give you the chance to laugh at my PHP prowess ( or lack thereof)
As I’m between jobs at the moment, I’ve had time to sit and reflect on possible future career directions.
With Deb’s help and inspiration (“if that washing isn’t done by the time I get back, there’ll be trouble!”) I think I may have come up with something.
Yep, I’m looking into the possibility of becoming an Evil Genius and Megalomaniac. After all, I’ve already got the alter-ego – I mean, “The Anti-Kyte”, that’s never going to be a super hero name, is it ?
Apart from that, there’s also the costume to consider. Let’s face facts here, mine is just not a figure that would be flattered by brightly coloured spandex.
If I’m going to run an efficient evil empire, I’ll need a properly designed and efficient data-driven application. Everything must be thoroughly tested. The temperature control on the piranha tank failing or some meddling super-spy escaping the cunningly planned trap at a crucial moment could do untold damage to the share price.
A suite of automated tests that I can run repeatedly to verify both functionality and performance under load is a must-have.
In that case, I’m going to need a way of running my test suite, then quickly rolling back the resultant database changes, fixing any problems and running it all over again.
It’s time to take a fresh look at the Flashback functionality available in the Oracle Database. Continue reading →
Oh the tension. 2-0 up at half-time. Visions of last-day drama and an eleventh-hour escape floating tantilisingly before my eyes. Then, grim reality. A second-half collapse and the prize is snatched away once more. So, this is what it must be like to be an Arsenal fan.
I know that they say misery loves company, but it’s not really any consolation. Yes, my beloved West Ham have been relegated from the Premiership.
In an effort to rouse myself from the resultant depression, I decided to have a look at addressing one of those minor annoyances that I’m always intending to get around to but somehow never quite do. In this case, it’s how to get confirmation that my Oracle XE database has started before trying to connect to it ( and that it’s shut down before I turn off my computer). Continue reading →