After Migrating from 12.2.1.4 OBIEE (Oracle Business Intelligence Enterprise Edition) to OAS (Oracle Application Server) 5.9 Selecting Parameter in Data Model Generates SQLInjection Error: Invalid Parameter Value (Doc ID 2849023.1)

Last updated on FEBRUARY 13, 2022

Applies to:

Symptoms

On : 12.2 version, Enterprise : Install / Upgrade

Oracle Analytics Publisher 12.2.5.9.0: SQLInjection Error

Migrated instance from OBIEE 12.2.1.4 to OAS 5.9 with Publisher 12.2.5.9.0.

This is related to data models with procedure call data sets.

This was worked prior to migrating.

In the Data Model for the report, define LOV (list of values) and Parameter.

Invalid error comes from the LOV string.

When selecting values, any values starting with insert or update in string fails.

For example:

The Department field has an LOV and has Parameters "Inside Prep" and "Insert Reclaiming" with LOV string.

After excluding these Parameters, the report is working fine.

However using insert or update in string generates the following error:



ERROR
-----------------------
Error:
SQLInjection Error: Invalid parameter value Insert Prep
Error Detail:
SQLInjection error: Invalid parameter value Insert Prep



Data Engine Log also shows:

STEPS
-----------------------
The issue can be reproduced at will with the following steps:

Log into Catalog -> Edit -> Select Data Model.

Select the Data Set.

Define LOV and Parameters -> Open -> View Data -> Select Parameter.

Error is observed.

Changes

Migrated from OBIEE 12.2.1.4 to OAS 5.9 with Publisher 12.2.5.9.0.

Cause

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.