| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Usenet -> c.d.o.misc -> Re: Owarepl : Is this a bug or feature?
Its definitely a feature.
On 22 Jun 1997 11:14:29 GMT, aak2_at_Ra.MsState.Edu (Atif Ahmad Khan) wrote:
>
>I have been using Owarepl downloaded from govt.us.oracle.com for a while
>with Apache now and find it an invaluable utility. I however noticed that
>when using it with forms that send data using the POST method, it automatically
>decodes the incoming query_string and forwards the information in seperate
>variables. This can raise a problem with dynamic forms where you dont know
>what variables are coming in. Whereas if all the values were passed as one
>string you could analyze the data and setup variables accordingly in the
>PL/SQL procedure. I am planning to modify the code of owarepl to make it
>forward the encoded string in a variable also. Am I doing something that is
>a NO NO? I thought I'd check before I'd start playing the owarepl code.
>
(i think you mean GET in the above, with GET query_string is set, with POST we read from stdin)
It's not a no-no, just a different way of approaching the problem. OWA Repl (OWA Replacement) mimicks the functionality of the Oracle Web Agent you get from the Oracle Web Server. Its main (only) goal in life was to map a URL to a stored procedure call. It takes:
http://yourhost/ConnectInfo/owa/StoredProcedureName?Variable=Value&....
And turns it into
begin
StoredProcedureName( Variable => Value, Variable => Value.... )
end;
Rather then passing in the query_string and having the first line of each and every stored procedure be a call to a parse routine to undecode the query_string or posted information we pass them in as IN parameters.
It wouldn't be hard to change the way it works to pass the query string on thru. You cannot make it 'forward the encoded string in a variable ALSO' but rather 'forward the encode string in a variable INSTEAD'. If you don't know the names/number of form variables at the time you compile the pl/sql routine, you can't build a pl/sql routine to deal with have the values passed as inputs. Right now, it already does pass the query_string on through (owarepl does, OWA does not) when using GET but it also parses it out. Try:
create procedure showenv( x in varchar2, y in varchar2 )
is
begin
owa_util.print_cgi_env;
end;
/
If you call this via:
dcd/owa/showenv?x=5&y=10
You'll see the query_string variable (but You NEEDED to have showenv accept x and y, it'll fall if showenv doesn't take x and y as inputs)
>Also I just learned about this Oracle tag feature. New feature in a newer release
>or owarepl. I am storing all the information I am receiving from the web
>in the schema of the user who is also the owner of owa and the stored procedures.
>Does the Oracle tag allow me to do a 'select' on any of the tables of this user?
>I read the security paragraph in the online documentation of the Oracle tag
>and it seems like pretty secure in that regard, but I just wanted to make sure.
>
You need to figure out what logon is being used with your DCD to see what tables are accessible. If you are using a DCD that gets its logon from the owa.cfg, its the tables that user can see. If you are using a DCD that gets its logon/password from the user at runtime using basic authentication, then its that users list of accessible tables you will see.
the big difference between the oracle tag and just running a procedure is that ROLES are active with the oracle tag but not so with the procedure (roles are never active in a procedure). For example, try this:
create procedure show_count_of_tables
is
l_n number;
begin
select count(*) into l_n from all_objects; htp.p( 'We see ' || l_n || ' things' ); end;
Run that from the web and see how many objects your procedure can see. Then, create a page:
....
<oracle>
declare
l_n number;
begin
select count(*) into l_n from all_objects;
htp.p( 'We see ' || l_n || ' things' );
end;
</oracle>
....
Now, since roles are enabled, you'll 'see' more stuff.
>Atif Khan
>aak2_at_ra.msstate.edu
Thomas Kyte
tkyte_at_us.oracle.com
Oracle Government
Bethesda MD
http://govt.us.oracle.com/ -- downloadable utilities
 |
 |