I'm looking for tips in debugging some of my row-level security predicates in an Oracle database. These predicates use a few concepts to determine whether the current user can see a record:
current user's Oracle username
current user's assigned Oracle roles
current user's affiliation with a record in one or more tables
I'm having trouble debugging this kind of thing on real data because I can't figure out a good way to simulate actually seeing what a specific user could see. So, I'm looking for tips. Is there a good basic framework for this kind of thing?
Here's an example of one of my predicates:
predicate := 'project_id in (' ||
'(select upr.projectid project_id ' ||
'from chemreg.usergroups_projects_vu upr, ' ||
' chemreg.usergroups_personnel_vu upe, ' ||
' chemreg.personnel pe ' ||
'where upr.usergroupid = upe.usergroup_id ' ||
' and upe.personnel_id = pe.person_id ' ||
' and upper(pe.username) = USER) ' ||
'union ' ||
'(select project_id from chemreg.project ' ||
'where active = ''Y'' and private = ''N'' ) )';
If you're trying to work out why some rows are appearing when they shouldn't, and/or why some rows are not appearing when they should, try this:
Remove all the row-level security predicates.
Run the queries, but add in the row-level security predicates by hand.
Check the results.
You can then easily change the predicates one by one (e.g. comment out individual bits) until you work out why they are giving the unexpected results.
Related
I am trying to create and execute a dynamic SQL statement (using Oracle PL/SQL) and when things didn't work I condensed it to the below two code snippets:
My understanding was that the following two statements would be equivalent (table_name, row_name and row_value are all VARCHAR2 strings):
query_statement VARCHAR2(1000);
-- variant a:
query_statement := 'select * from ' || table_name || ' where ' || row_name || ' = ' || row_value;
dbms_output.put_line('query="' || query_statement || '"');
execute immediate (query_statement);
-- variant b:
query_statement := 'select * from :table where :row = :value';
dbms_output.put_line('query="' || query_statement || '"');
execute immediate (query_statement) using table_name, row_name, row_value;
But not so! The first variant works fine, the second always fails with an error:
** An error was encountered: -903 ORA-00903: invalid table name
From a readability point of view I would prefer variant b but I don't get, why that second variant fails and why the table_name is flagged as wrong. After all that very same name obviously works in variant a. The emitted queries also looks identical to me - of course modulo the fact that the second string still contains placeholders only while the first string contains already concrete values.
Could some kind soul shed some light on this? Why is variant b not working? What am I missing?
As mentioned by #William, usage of bind variable as Tablename is prohibited. On similar lines, you cannot use bind variables as Column Names and Order By clause as well.
Although this is not documented anywhere but its important to note that replacing these ordinal notation affects the execution plan.
You can't use a bind variable as a table_reference. As documented in the link, the table_reference must be static part of the statement.
select * from :table -- ILLEGAL
Contrary to that the usage in the WHERE clause is allowed
where :row = :value -- LEGAL, but questionable
but it doesn't do what you expect. The whereclause returns TRUE, if both bind variables passed are same.
I.e. it is equivalent to
where 'name' = 'xxxx'
and not to
where name = 'xxxx'
I have two problems in my Interactive Report APEX 4.2.5 application. I have seen several examples of this functionality but they have not help me so far..
1 - In the report SELECT statement I am selecting some of the fields using apex_item.text, as I want user to be able to updated these fields. This part is working fine. My problem is with writing the updated values back to a table (the SELECT is on a view). I have a SQL Autonomous block process that is supposed to be doing this (looping through the rows and accessing values using APEX_APPLICATION.G_Fxx) but it is not working. No errors are returned after Submit, instead the values revert to original values. How can I get these updates to save in the table?
2 - Within the SQL process I have enabled and added some APEX_DEBUG.MESSAGE statements, but I do not see the result of these statements anywhere in the debug log or table. How can I see the result of these debug commands?
Here is the SELECT:
select REQUISITION_LINE_ID
,apex_item.hidden(50,REQUISITION_LINE_ID,10,10) rid
,REQ_NUMBER
,REQ_LINE_NUMBER
,REQUISITION_QUANTITY
,SO_NUMBER
,SO_LINE
,ORDERED_QUANTITY
,SKU
,DESCRIPTION
,apex_item.text(10, SUPPLY_PO_NUMBER, 10, 10) SUPPLY_PO_NUMBER
,apex_item.text(20, SUPPLY_PO_LINE, 10, 10) SUPPLY_PO_LINE
,apex_item.text(30, SUPPLY_PO_SHIPMENT , 10, 10) SUPPLY_PO_SHIPMENT
from camlb.xxcb_requisition_reference;
And here is the SQL process:
declare
id number;
poorder number;
poline number;
poshipment number;
begin
APEX_DEBUG.ENABLE(p_level => 9);
for i in 1..APEX_APPLICATION.G_F50.count
loop
id := APEX_APPLICATION.G_F50(i);
poorder:=APEX_APPLICATION.G_F10(i);
poline:=APEX_APPLICATION.G_F20(i);
poshipment:=APEX_APPLICATION.G_F30(i);
APEX_DEBUG_MESSAGE.LOG_MESSAGE('ID is ' || id || ', PO is ' || poorder || ', SUPPLY_PO_LINE is '|| poline || ', SUPPLY_PO_SHIPMENT is ' || poshipment);
APEX_DEBUG.MESSAGE('ID is ' || id || ', PO is ' || poorder || ', SUPPLY_PO_LINE is '|| poline || ', SUPPLY_PO_SHIPMENT is ' || poshipment);
update APPS.po_requisition_lines_all
set ATTRIBUTE1=poorder,
ATTRIBUTE2=poline,
ATTRIBUTE3=poshipment
where requisition_line_id=id;
end loop;
end;
Note, the checkbox array will be dense, while your text box arrays are sparse, thanks to HTML behaviour. There are a few posts out there on this topic, plus some other general checkbox processing posts https://www.talkapex.com/2009/01/apex-report-with-checkboxes-advanced/
You need to put your application in debug mode, using the developer toolbar usually found at the bottom of your runtime page (if you're also logged into the builder).
This will set the relevant URL parameter to YES. Look for the log related to the page submit, not render. It might also pay to log the relevant array counts before entering the loop.
I've been tasked to do a bit of data discovery work. I'm working with our in house application, and I need to determine the first few tables that get hit when we do specific actions in the application. I have no intimate knowledge with the DB other than the fact that there are 1000 different tables I need to account for.
During my search, I came across this link https://lalitkumarb.wordpress.com/2015/01/06/sql-to-search-for-a-value-in-all-columns-of-all-atbles-in-an-entire-schema/
Which is exactly what I need, but when I run it it's not returning any data. I've confirmed that it's not working as intended by going and grabbing some data that I KNOW is in the DB and searching for that.
Here's the query I'm running
SELECT DISTINCT SUBSTR (:val, 1, 11) "Searchword",
SUBSTR (table_name, 1, 14) "Table",
SUBSTR (column_name, 1, 14) "Column"
FROM cols,
TABLE (xmlsequence (dbms_xmlgen.getxmltype ('select '
|| column_name
|| ' from '
|| table_name
|| ' where upper('
|| column_name
|| ') like upper(''%'
|| :val
|| '%'')' ).extract ('ROWSET/ROW/*') ) )
ORDER BY "Table"
/
When I execute this query, TOAD pops up with a Variables screen in which I specify the type and value of :val. I hit OK, the query executes and returns nothing.
Am I missing something?
I had a file that I was processing and it was constantly giving me errors. After some checking I realized that it had some special characters that were hidden.
I have just manually found the hidden characters and made a simple replace like
REPLACE( String,'', '')
How could I prevent this from happening in the future?
I have tried to make a table that stores these hidden ascii characters which are in the range from 125-255 but the database does not store them accordingly.
For example chr(168) is not the same as ascii 168.
select chr('168'),
convert(chr('168'),
'US7ASCII',
'WE8ISO8859P1')
from dual;
What else can I try?
Easy to write, but not the fastest to execute - using regexp_replace:
update table_name
set column_name =
regexp_replace(column_name, '[' || chr(125) || '-' || chr(255) || ']', '')
;
More efficient, but a pain in the neck to write and maintain (you can write some code to generate the code though, to save some typing):
...
set column_name =
translate(column_name, '~' || chr(125) || chr(126) || ..... || chr(255), '~')
;
Yes, with translate() you will have to spell them all out, no "range" concept... {:-(
That's to change the data already in the tables. It would be even better to fix the data as it is coming in, if you can - using a similar transformation.
I have to construct a block to pull information from two tables using a cursor. As a further challenge, I have to identify the first item on the pull. I tried to use an IF statement to work through this. It errors out in several areas and I have no idea what I am doing wrong. Not asking for the answer per say, just enough of a push to get me moving again. Thanks. Here is the code I've put together so far:
DECLARE
CURSOR cur_pled IS
SELECT dd_pledge.idpledge, dd_pledge.pledgeamt, dd_pledge.paymonths, dd_payment.paydate, dd_payment.payamt
FROM dd_pledge, dd_payment
WHERE dd_payment.idpledge = dd_pledge.idpledge AND
dd_pledge.idpledge = 104
ORDER BY dd_pledge.idpledge, dd_payment.paydate;
TYPE type_pled IS RECORD
(pledID dd_pledge.idpledge%TYPE,
pledAmt dd_pledge.pledgeamt%TYPE,
payMonths dd_pledge.paymonths%TYPE,
payDate dd_payment.paydate%TYPE,
payAmt dd_payment.payamt%TYPE);
rec_pled type_pled;
lv_id_num dd_pledge.idpledge%TYPE := 0;
BEGIN
OPEN cur_pled;
LOOP
FETCH cur_pled INTO rec_pled;
EXIT WHEN cur_pled%NOTFOUND;
IF rec_pled.type <> lv_id_num THEN
DBMS_OUTPUT.PUT_LINE('First Payment');
ELSE DBMS_OUTPUT.PUT_LINE('Other Payment');
END IF;
END LOOP;
CLOSE cur_pled;
DBMS_OUTPUT.PUT_LINE(pledID || ' ' || dd_pledge.pledgeamt || ' ' ||
dd_pledge,payMonths || ' ' || dd_payment.payDate || ' ' ||
dd_payment.payAmt);
END;
There are loads of errors in your code. If you had formatted it correctly, you would have spotted some of them yourself!
Things that leapt out at me:
You're referring to dd_pledge in the final dbms_output.put_line, but dd_pledge isn't a variable. I think you meant to use rec_pled instead.
You refer to pledID in your final dbms_output.put_line statement - but this is a field defined in the record type, NOT a defined variable. I think you probably meant to use rec_pled.pledid
You're selecting the results of the cursor into rec_pled.type - however, "type" is not a field declared in the type_pled's definition! Did you mean rec_pled.idpledge instead?
You have dd_pledge,payMonths in your final dbms_output.put_line statement - the comma should be a full stop: rec_pled.payMonths
You're outputting the results after you've closed the results. Because this is just a record variable, you're only going to be outputting the results from the last row in the query.
Why aren't you doing a cursor for loop? That takes care of the exiting and declaring a record for you.
Anyway, I think you can achieve your results by using an analytic function in your query, rather than needing to use PL/SQL to do the work:
SELECT plg.idpledge,
plg.pledgeamt,
plg.paymonths,
pay.paydate,
pay.payamt,
case when row_number() over (partition by plg.idpledge, pay.paydate) = 1 then 'First Payment'
else 'Other Payment'
end type_of_payment
FROM dd_pledge plg
inner join dd_payment pay on (pay.idpledge = plg.idpledge)
--WHERE plg.idpledge = 104 -- add back in if you really need to do it for a single id
ORDER BY plg.idpledge, pay.paydate;