VOOZH about

URL: https://dzone.com/articles/injecting-sql-queries-with-oracle-erp-cloud

⇱ Dynamic SQL Injection With Oracle ERP Cloud

Related

  1. DZone
  2. Data Engineering
  3. Databases
  4. Dynamic SQL Injection With Oracle ERP Cloud

Dynamic SQL Injection With Oracle ERP Cloud

This article covers the steps to create a Dynamic BI Report so SQL can be injected at a run time to the report, which can be useful in building integrations.

By Jan. 11, 21 · Tutorial
Likes
Comment
Save
8.1K Views

Join the DZone community and get the full member experience.

Join For Free

In this previous article, we learned how to design and Develop an Oracle Cloud BI Report. We will use the same Report and convert it Into a Dynamic SQL Injection based Report.

Log in to Oracle Cloud Applications and Go to Tools in the Navigator and click on Reports and Analytics. Click on Browse Catalog to launch the BI workspace.

Data Model Update

  • Log in to Oracle and open the Data Model created in the previous steps. Please update the Data Model with below PLSQL block.
  • As you can see in the screenshot above, query1 is a variable, that will be passed to the Data Model as a base64 encoded string. We will use a standard out of the box function to decode the string to a SQL query and pass it to a cursor to open as a Reference Cursor.
  • Please note that the type of SQL is a Procedure Call.
  • Please check “Bind Parameter Value As Comma Separated String” in case you want to pass multiple SQL statements.
  • Please click OK to save the query screen and save the data model.
  • You can optionally specify the row tag name for the XML output.

Adding Parameters

  • Please click on the Parameters tab and add a parameter to pass the SQL query as input.
  • Add another parameter, xdo_cursor, which acts as a CURSOR output for the result set.
  • Generate base64 encoded string using any Database tool (e.g. SQL Developer).
  • Connect to the Oracle Database using SQL developer and generated base64 String as below. The input SQL statement is as follows: Select person_id from per_all_people_f
  • As reviewed from the output above, Base64 encoded string is c2VsZWN0IHBlcnNvbl9pZCBmcm9tIHBlcl9hbGxfcGVvcGxlX2Y=

Generate Data Model Output

  • Please click on Data Sets, “QueryEmployees,” and click on the data tab and paste the SQL encoded string in the input variable as below:
  • Click the View button to see the data as shown below:
  • As you can see, we have passed the SQL query as an input to generate the output successfully.  In a real-time scenario, we can create a common Data Model and pass SQL queries from the integration layer to get the data.

I hope this will prove to be a useful article for your ERP Cloud work.

sql Enterprise resource planning Cloud Data model (GIS) Data (computing) Database Injection

Opinions expressed by DZone contributors are their own.

Related

  • What Is SQL Injection and How Can It Be Avoided?
  • Which Tool Is Better for Code Completion — Azure Data Studio or dbForge SQL Complete?
  • C# Applications Vulnerability Cheatsheet
  • Part 2 - How to Hive on GCP using Google DataProc and Cloud Storage

Partner Resources

×
Comments

The likes didn't load as expected. Please refresh the page and try again.

Let's be friends: