O SpecGold OracleBusIntApps7 clr



   Call us now 

  Manchester Office

  +44 (0) 8450 940 998




John's Blog

This is my blog of various topics, from things that I think might be useful to others, to things that I just find interesting personally. If you have any comments or questions on any of my posts then please do ask - any positive contribution is very much welcomed.

  • Home
    Home This is where you can find all the blog posts throughout the site.
  • Categories
    Categories Displays a list of categories from this blog.
  • Tags
    Tags Displays a list of tags that have been used in the blog.
  • Bloggers
    Bloggers Search for your favorite blogger from this site.
  • Team Blogs
    Team Blogs Find your favorite team blogs here.
  • Login
    Login Login form
John Keymer

John Keymer

My primary area of interest and expertise is Oracle E-Business Suite, particularly Foundation, Human Resources, Payroll, Time and Labor, Warehouse Management and Inventory. Whilst I prefer to focus on functional aspects I do have a keen interest in technical areas too such as SQL tuning/the optimizer, Application Express (APEX), Unix (particularly Linux) and general development.

Oracle APEX Exploitation - Part 1

I decided to write a short series of posts detailing some different mechanisms that a malicious user may use to "attack" an application written in Oracle Application Express (Apex) - note - "Attack" is used loosely here in that it is more of "making the application perform in a way it was not intended". These posts are not intended to be instructional, more they are intended to assist the developer in ensuring their applications are written to a standard which protects against such attacks. It should be noted from the outset that none of the techniques illustrated infer there is a security issue with Apex - Apex is secure for all intents and purposes - any security vulnerabilities are 99%+ of the time due to the developer not implementing appropriate defences. Some of them are quite obvious, however some may not be so. I won't be using any fancy tools - just a browser with developer plugins.
I'll try to explain a problem under a number of headings.

  • The mechanism of the attack
  • The implications
  • How to defend against it

It of course goes without saying that all liability is relinquished - anything you do to your own (or other's) applications is entirely at your own risk.

I am using a sandpit application on to demonstrate, which can be accessed here.
So with that said, the first thing I'd like to show is by far the most simple - URL Parameter Modification. I'll then work through more complex and intricate attacks in subsequent posts.

Last modified on Continue reading
Tagged in: APEX
in Techniques 158 0

A while back I posted instructions on how to create an organization/position chart in Oracle APEX using the Google Charts API. That was a little manual and not massively simple, so I have encapsulated that process into an APEX plugin which is released Apex.World. The GitHub project page can be found here which is the master repository for this plugin.

Please feedback any issues through the issue tracker and feel free to offer any suggestions (or clone the repo and contribute).



Last modified on Continue reading
Tagged in: APEX APEX 5.1
in Technical 322 0

Whilst working on a client project recently I created a page in APEX with a number of different regions, selectable via a Region Selector. The way this page was to be used, the user may not always want to click on every single region each time they use the page. Unfortunately the default behaviour with APEX is that all regions are rendered on the page at load time, so if some queries take a short while to run then your user is waiting for data to return that they aren't even going to use.
What I really wanted was for the code in the region to only actually run when the user chose the region from the selector. I even posted on the OTN Forums to ask if anyone had done similar in the past. Ultimately though it seemed nobody has, so I thought I'd give it a try.

To explain the concept first, this idea works by creating a page item which is checked in a query predicate. i.e.

Select *
  From my_table
 Where :p1_show_data = 'Y';

We take advantage of the fact that the optimizer can deduce that if :p1_show_data does not equal 'Y' then the query is going to return all rows.
By exploiting that, we can devise a solution where our region queries check the value of an item which is empty when originally rendered, however is populated when the region is refreshed - and we trigger a refresh of the corresponding region when the user selects a tab.

Here is how I achieved this (note - demo done in APEX 5.1.2, however should be backwards compatible across at least APEX 5.x).

First we create a hidden page item that restricts the queries. I created one called P1_SHOW_REGION. Then we modify our queries to take advantage of this.

select * from table(delay_table(5))  where :P1_SHOW_REGION is not null

My delay_table is simply a pipelined function that takes a value and waits that number of seconds to return values - it lets me test the report regions by simulating a long-running query. I'll post the code in the comments.
Next I created a before header process which resets the session state for the item - ensuring it is blank when the page loads.

Blank Item

Then I created a computation firing after regions which sets the value to "Y" - so the value is set in the session state ready to be used by our region refresh process.

Set Value

Finally I created the following JavaScript snippet and added this to the Execute When Page Loads section of the page definition.

var regionSelectorShown = new Array("Empty");

$(".apex-rds").data("onRegionChange",function(mode,activeTab) {
  if (typeof regionSelectorShown[activeTab.href] === 'undefined') {

Execute on Page Load

So what is that doing? We are adding a callback on the onRegionChange event, which when triggered adds the name of the region (activeTab.href) to the array regionSelectorShown. This is purely so once we have shown the region within a page, we don't re-execute the query again if the user tabs out and back in again. Then we call the apexrefresh trigger passing in the region name to the jQuery selector - this causes a partial page refresh (PPR) of the region - which now sees the value of :P1_SHOW_DATA as "Y" and thus executes the query in full.
Now we see when we load the page, the region shown first fires the callback and shows initially. Then as we click through other regions, we get the processing icon (whilst waiting for the data to come back via my delay_table function) and the region shows. If we tab out and back in again, we don't re-call the refresh process as the regionSelectorShown array has a value indexed by the region ID indicating we have already shown it and so don't need to again.

Region Loading


Region Loaded

As always, there is always room for improvement and extension of this - if you do so then I'd really appreciate it if you could drop me a line in the comments so others can benefit. It would be nice (and I'd have thought relativly easy) if this kind of functionality was considered for inclusion in the standard APEX build as a feature in future releases.

Last modified on Continue reading
Tagged in: APEX
in Technical 529 1

A while back I created a post describing how to produce an organization chart in Oracle APEX using Google visualizations. If you didn't catch that then go and take a look here first before reading on as it will provide the background reading to this post.

So in this post I am going to demo how we can do this in OBIEE - and it's actually quite easy because OBIEE has already done a lot of the work for us.

First we need a level based hierarchy (or even just a representation of a hierarchy as levels across columns). This is how all BI Applications hierarchies are implemented, for example the organization and position hierarchies. I am going to use SampleApp with the "Sample Sales"."Offices" hierarchy.


Then we simply select all the columns in our hierarchy into a simple analytic. As we have multiple top level nodes I have applied a filter to restrict to just one company, however this isn't necessary - if you have multiple top level nodes then you simply get multiple trees.


If we use the default Table view then we see something like this. Note I have changed the column order in this view simply to make the hierarchy structure clearer.

Table Results

Last modified on Continue reading
Tagged in: OBIEE Oracle BI 12c
in Techniques 854 2

A question that comes up all the time on the OTN Forums is "How do I know who updated this record?". Generally the response is to point the member in the direction of the last_updated_by column on the table. The next question often then comes up... So how do I see what the old value was?". Hmmmm... a little more tricky. We can try to look at flashback query however if the update was more than a few hours ago on a busy OLTP system then the chances are the undo has been cleared out. Sometimes we get lucky and the table holds a date-tracked history (HRMS tables for example). But usually it's just tough luck - once the data has been overwritten, it's gone (without resorting to backups).
So if you have some important tables in your E-Business Suite system that you wish to track changes on such as this, then you might want to consider enabling AuditTrail on those tables. It doesn't require any additional licences and is relatively easy to configure. Rather than just narrating what it does, I'll explain with an example.

Assume we have a concern that somebody might update the definition of a form function in EBS and do things we should be tracking; things like altering the parameters to the form. First we need to know what table(s) the data is being maintained in. There are several ways to do this, however often the easiest it to simply do Help > Record History or Help > Diagnostics > Examine > [SYSTEM|LAST_QUERY] and track the view through to the base table(s). So in our case it is fnd_form_functions.

Form Last Query

In order to use AuditTrail the table needs to be registered with the application. For standard tables this is (generally) done - you can check for the existence of a record in FND_TABLES - however for custom tables you'll need to register the table using ad_dd.register_table and ad_dd.register_column, then register the primary key of the table using ad_dd.register_primary_key and ad_dd.register_primary_key_column. Unfortunately there isn't a screen with update capabilities to do this. What I do for custom tables is use a script which reads the data dictionary for a given table and does all this for me. Anyway, once we have the table registered, we need to enable the owner of that table for auditing. In the System Administrator responsibility, navigate to Security > AuditTrail (all our configuration will be done via this menu path) and select the Install option. For our table, fnd_form_functions, the owner is APPLSYS.

SQL> Select owner, table_name
  2  From all_tables
  3  Where table_name='FND_TABLES';

OWNER                          TABLE_NAME
------------------------------ ------------------------------
APPLSYS                        FND_TABLES

In my vision instance this user is already enabled.

Enable User for Auditing

Next we need to create an Audit Group - this is a logical grouping of like audited tables. Navigate to the Groups menu option and we'll create that. Note that we have to set the initial status to Enable Requested. This is very important.

Last modified on Continue reading
Tagged in: E-Business Suite
in Technical 649 0