Home » SQL & PL/SQL » SQL & PL/SQL » encoding using UTL_I18N.ESCAPE_REFERENCE (10g)
encoding using UTL_I18N.ESCAPE_REFERENCE [message #571225] Thu, 22 November 2012 05:34 Go to next message
rahul.rathi
Messages: 3
Registered: November 2012
Location: India
Junior Member
Hi All,

I am facing a problem with UTL_I18N.ESCAPE_REFERENCE.
In my project to protect against xml injection problem the data entered by the user is being encoded and passed to database.

for any special characters received as input, the application encodes this data
eg if the user enters encoded
< &#x3c;
> &#x3e;
And so on.

I can use the UTL_I18N.UNESCAPE_REFERENCE function and get the exact string entered by user.

Select UTL_I18N.UNESCAPE_REFERENCE('&#x3c;&#x3e;') x from dual;

Output
x
------
<>

But when i use the UTL_I18N.ESCAPE_REFERENCE function to encode the above output it gives me some other string

Select UTL_I18N.ESCAPE_REFERENCE('<>') x from dual;

Output
x
------------
&lt;&gt;

Can someone please help me get the string to encoded to original i.e '&#x3c;&#x3e;'.


Thanks in advance
Rahul.

Report message to a moderator

Re: encoding using UTL_I18N.ESCAPE_REFERENCE [message #571230 is a reply to message #571225] Thu, 22 November 2012 05:48 Go to previous messageGo to next message
Michel Cadot
Messages: 68770
Registered: March 2007
Location: Saint-Maur, France, https...
Senior Member
Account Moderator
Here's a first step:
SQL> select ltrim(replace(utl_url.escape('<>'),'%',';&#x')||';',';') from dual;
LTRIM(REPLACE(UTL_URL.ESCAPE('<>'),'%',';&#X')||';',';')
-------------------------------------------------------------------------------
&#x3C;&#x3E;

Regards
Michel

Report message to a moderator

Re: encoding using UTL_I18N.ESCAPE_REFERENCE [message #571357 is a reply to message #571230] Sat, 24 November 2012 07:03 Go to previous messageGo to next message
rahul.rathi
Messages: 3
Registered: November 2012
Location: India
Junior Member
Hi Michel,

Thanks for the quick response. But the solution provided will not work as its just for a selced few charachters i can replace. but there can be may other characters that needs to be replaced. I think there should be some other function provided by oracle to achieve this. From my findings the values i am looking for are hex. Please refer to below link.



htmlhelp.com/reference/html40/entities/special.html

just check this link.

[Updated on: Sat, 24 November 2012 07:12]

Report message to a moderator

Re: encoding using UTL_I18N.ESCAPE_REFERENCE [message #571359 is a reply to message #571357] Sat, 24 November 2012 08:44 Go to previous messageGo to next message
Michel Cadot
Messages: 68770
Registered: March 2007
Location: Saint-Maur, France, https...
Senior Member
Account Moderator
Quote:
but there can be may other characters that needs to be replaced.


Did you test for the other characters?

Quote:
Please refer to below link.


If these are the limited list then you can either statically implements it in the query to trasnform what you don't want into what you do or use a reference table to do so.

Regards
Michel

[Updated on: Sat, 24 November 2012 08:46]

Report message to a moderator

Re: encoding using UTL_I18N.ESCAPE_REFERENCE [message #571424 is a reply to message #571225] Sun, 25 November 2012 22:06 Go to previous messageGo to next message
rahul.rathi
Messages: 3
Registered: November 2012
Location: India
Junior Member
I did try for other characters but the problem is i don't have the extensive list.

What I wanted to understand was is there any standard Oracle function to do so, might be some parameter in convert function or in Escape_Reference function, for the values seem to be the hex value of the value i am currently getting.

Quote:

Please refer to below link.


Since I am new to the forum i am not able to put the link over here. I just skipped the initial http part.

Regards,
Rahul

Report message to a moderator

Re: encoding using UTL_I18N.ESCAPE_REFERENCE [message #571430 is a reply to message #571424] Sun, 25 November 2012 23:48 Go to previous message
Michel Cadot
Messages: 68770
Registered: March 2007
Location: Saint-Maur, France, https...
Senior Member
Account Moderator
Quote:
I did try for other characters but the problem is i don't have the extensive list.


So which characters you have found and does not fit your need? Post your case as I did.
If you have no list, hiw will you know the result is correct or not?

Quote:
What I wanted to understand was is there any standard Oracle function to do so,


Yes... but as I am a bastard I prefer to give you fuzzy alternate solutions. Smile

Quote:
Since I am new to the forum i am not able to put the link over here. I just skipped the initial http part.


I read it and so my remoark on the limited list.
If you have no list, the only way is to convert ALL characters in hexadecimal values.

Regards
Michel

Report message to a moderator

Previous Topic: how to fetch two times the same explicit cursor:first make a total,second divisions by total
Next Topic: single-row subquery returns more than one row
Goto Forum:
  

[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Sat Sep 06 22:02:19 CDT 2025
.:: Forum Home :: Blogger Home :: Wiki Home :: Contact :: Privacy ::.