My Oracle Support Banner

After Migrating from OBIEE (Oracle Business Intelligence Enterprise Edition) to OAS (Oracle Application Server) 5.9 Selecting Parameter in Data Model Generates SQLInjection Error: Invalid Parameter Value (Doc ID 2849023.1)

Last updated on FEBRUARY 13, 2022

Applies to:

BI Publisher (formerly XML Publisher) - Version 12c and later
Information in this document applies to any platform.


On : 12.2 version, Enterprise : Install / Upgrade

Oracle Analytics Publisher SQLInjection Error

Migrated instance from OBIEE to OAS 5.9 with Publisher

This is related to data models with procedure call data sets.

This was worked prior to migrating.

In the Data Model for the report, define LOV (list of values) and Parameter.

Invalid error comes from the LOV string.

When selecting values, any values starting with insert or update in string fails.

For example:

The Department field has an LOV and has Parameters "Inside Prep" and "Insert Reclaiming" with LOV string.

After excluding these Parameters, the report is working fine.

However using insert or update in string generates the following error:

SQLInjection Error: Invalid parameter value Insert Prep
Error Detail:
SQLInjection error: Invalid parameter value Insert Prep

Data Engine Log also shows:

The issue can be reproduced at will with the following steps:

Log into Catalog -> Edit -> Select Data Model.

Select the Data Set.

Define LOV and Parameters -> Open -> View Data -> Select Parameter.

Error is observed.


Migrated from OBIEE to OAS 5.9 with Publisher


To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.