SQLInjectionError DML/DDL Operations Not Allowed In BIP 12c (Doc ID 2693837.1)

Last updated on SEPTEMBER 22, 2023

Applies to:

Symptoms

On : 12.2.1.4.0 version

When running reports directly from BI Publisher application the following error occurs:

[2020-07-09T11:34:16.013+03:00] [bi_server1] [NOTIFICATION] [] [oracle.xdo] [tid: 1507] [userId: <anonymous>] [ecid: e65e2953-73e2-4f84-9554-8268c1b26ff2-00002ce1,0:26] [APP: bipublisher] [partition-name: DOMAIN] [tenant-name: GLOBAL] [SI-Key: ssi]  [200709_11340016][dp id:1555815887][sch info:]SQLInjection Error: DML / DDL Operations not allowed... INSERT[[

]]
[2020-07-09T11:34:16.013+03:00] [bi_server1] [NOTIFICATION] [] [oracle.xdo] [tid: 1507] [userId: <anonymous>] [ecid: e65e2953-73e2-4f84-9554-8268c1b26ff2-00002ce1,0:26] [APP: bipublisher] [partition-name: DOMAIN] [tenant-name: GLOBAL] [SI-Key: ssi]  [200709_11340016][dp id:1555815887][sch info:]oracle.xdo.XDOException: oracle.xdo.dataengine.datasource.plugin.DataAccessException: SQLInjection Error: DML / DDL Operations not allowed[[
    at oracle.xdo.dataengine.datasource.NSQueryStatement.<init>(NSQueryStatement.java:56)
    at oracle.xdo.dataengine.datasource.DataSetStatement.createDataSetStatement(DataSetStatement.java:88)
    at oracle.xdo.dataengine.XMLPGEN.processNSQuery(XMLPGEN.java:2921)
    at oracle.xdo.dataengine.XMLPGEN.processMergedDataSet(XMLPGEN.java:1944)
    at oracle.xdo.dataengine.XMLPGEN.processMergedDataSet(XMLPGEN.java:3601)
    at oracle.xdo.dataengine.DataProcessor.processData(DataProcessor.java:386)
    at oracle.xdo.servlet.dataengine.DataProcessorImpl.processData(DataProcessorImpl.java:310)
    at oracle.xdo.servlet.dataengine.DataProcessorImpl.render(DataProcessorImpl.java:687)
    at oracle.xdo.servlet.ReportModelContextImpl.getReportXMLData(ReportModelContextImpl.java:416)
    at oracle.xdo.servlet.ReportContextImplV2.getReportXMLData(ReportContextImplV2.java:167)
    at oracle.xdo.servlet.CoreProcessor.process(CoreProcessor.java:537)
    at oracle.xdo.servlet.CoreProcessor.generateDocument(CoreProcessor.java:109)
    at oracle.xdo.servlet.ReportImpl.renderBodyHTTP(ReportImpl.java:1435)
    at oracle.xdo.servlet.ReportImpl.renderReportBodyHTTP(ReportImpl.java:397)
    at oracle.xdo.servlet.resources.ReportItemServiceImpl$ReportItemRunner.call(ReportItemServiceImpl.java:113)
    at oracle.xdo.servlet.resources.ReportItemServiceImpl$ReportItemRunner.call(ReportItemServiceImpl.java:78)
    at java.util.concurrent.FutureTask.run(FutureTask.java:266)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    at java.lang.Thread.run(Thread.java:748)
Caused by: oracle.xdo.dataengine.datasource.plugin.DataAccessException: SQLInjection Error: DML / DDL Operations not allowed
    at oracle.xdo.dataengine.diagnostic.ExceptionHandler.createExceptionMsg(ExceptionHandler.java:146)
    at oracle.xdo.dataengine.diagnostic.ExceptionHandler.createException(ExceptionHandler.java:154)
    at oracle.xdo.dataengine.util.SQLUtil.checkForDMLKeyWords(SQLUtil.java:551)
    at oracle.xdo.dataengine.datasource.plugin.sql.NSQueryDataSet.validateQueryForSQLInjection(NSQueryDataSet.java:504)
    at oracle.xdo.dataengine.datasource.plugin.sql.NSQueryDataSet.setQueryString(NSQueryDataSet.java:96)
    at oracle.xdo.dataengine.datasource.NSQueryStatement.initDataSet(NSQueryStatement.java:120)
    at oracle.xdo.dataengine.datasource.NSQueryStatement.<init>(NSQueryStatement.java:53)
    ... 19 more

Changes

SQL INSERT statements are used in these BIP reports in 11g environment. These reports have been successfully migrated from 11g(11.1.1.7.1) to 12c (12.2.1.4.0) and they are working fine in 11g. Reports are throwing this error in 12c environment.

Cause

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.