1 2 Previous Next 29 Replies Latest reply: Jul 21, 2006 2:03 AM by srhcompcon RSS

    shipping code

    Farhan2
      if you are using htmldb to create commercial applications
      how do you ship the application with out making the code visible?

      shipping the export file doesn't seem to be an ideal way of protecting the code
        • 1. Re: shipping code
          VANJ
          Put all your code (processes, SQL queries, validations, computations, etc) in PL/SQL packages and WRAP them.

          Thanks
          • 2. Re: shipping code
            Farhan2
            wrapping the code for validations, computations and processes are straight forward taking the code for reports regions and placing them in an external function/procedure is not so simple as HTMLDB is expecting the code to be local to the page.

            Is there anyway of placing report region code into external functions (ie the sql function body return sql query as string type).

            I still think the export/import utility should provide an option to export/import the contents of an app in encrypted format.
            • 3. Re: shipping code
              VANJ
              taking the code for
              reports regions and placing them in an external
              function/procedure is not so simple as HTMLDB is
              expecting the code to be local to the page.
              Not true. You can build a report region based on
              return my_pkg.query_string;
              On the Report Attributes, you could use the 'function body returning colon delimited headings' to get your headings in a similar way
              return my_pkg.query_string_headings;
              I still think the export/import utility should
              provide an option to export/import the contents of an
              app in encrypted format.
              Nah, its not a big deal, if you put all your code in PL/SQL packages like, all that the export file "exposes" is the calls to your APIs. No harm in that, is there?
              • 4. Re: shipping code
                VANJ
                taking the code for
                reports regions and placing them in an external
                function/procedure is not so simple as HTMLDB is
                expecting the code to be local to the page.
                Not true. You can build a report region based on
                return my_pkg.query_string;
                On the Report Attributes, you could use the 'function body returning colon delimited headings' to get your headings in a similar way
                return my_pkg.query_string_headings;
                I still think the export/import utility should
                provide an option to export/import the contents of an
                app in encrypted format.
                Nah, its not a big deal, if you put all your code in PL/SQL packages like, all that the export file "exposes" is the calls to your APIs. No harm in that, is there?
                • 5. Re: shipping code
                  Farhan2
                  Thanks for that...
                  was putting the function name into the source forgot the 'return'!!

                  Any ideas about the region source for an updateable report??

                  Also found that for an existing region will need to ensure the 'Use Generic Column Names' is checked.

                  which company do you work for??
                  • 6. Re: shipping code
                    VANJ
                    Also found that for an existing region will need to
                    ensure the 'Use Generic Column Names' is checked.
                    There is a small quirk here. If your query string returns fixed column names i.e. the column names are not dynamically built in the query string itself, you can still get away with using the named columns (not the generic ones) by doing
                    return /* select null from dual */ query_pkg.query_string;
                    That embedded comment somehow tricks the parser into digging into the query string and pulling out the column names (or something, never figured out quite how/why it works!).
                    which company do you work for??
                    Send email to me at otn@vikas.mailshell.com to start a private conversation.

                    Thanks
                    • 7. Re: shipping code
                      Farhan2
                      that is an excellent trick!!!
                      not sure how the hell you managed to work that out but i take my hat off to you...

                      any ideas about what to do with an 'sql query updateable report' region type??
                      • 8. Re: shipping code
                        Farhan2
                        Vikas,

                        wrapping the sql queries for reports into functions will not really help as you can run the function from the database and the return value will be the string containing the query???
                        • 9. Re: shipping code
                          VANJ
                          Man, you are really serious about security, aren't you?! :-)

                          Yes, that's right. Running the function from SQL*Plus will return the string containing the query.

                          But you can put additional logic in that function to make sure that is being called from an authenticated session.
                          IF v('APP_USER') is null then return null; end if;
                          I think some of the HTML DB APIs do something similar to ensure that they function properly only when invoked from a valid HTML DB session.

                          So, if someone just tries to run the function from outside of a valid HTML DB session, it will not reveal your top-secret query!

                          Thanks.
                          • 10. Re: shipping code
                            60437
                            Also, only the parsing schema can run the function. And if that requirement can be met then the prober can also trace the session to see the SQL.

                            Scott
                            • 11. Re: shipping code
                              VANJ
                              can also trace the session to see the SQL.
                              Good point. Just adding a &p_trace=YES to the end of the URL will enable the "prober" to see each and every SQL statement issued during show/accept processing, including those issued by your application as well as the HTML DB engine's SQL statements.

                              Oracle does not seem to think that allowing us to see each and every SQL statement HTML DB issues consitutes a breach of their IP (Intellectual Property). Why do you?

                              Just do what HTML DB does. Put all your business logic in PL/SQL packages, wrap them before shipping to your client, thats all. So what if a few SQL queries here and there are visible. Your data model is visible anyway!

                              Thanks.
                              • 12. Re: shipping code
                                60437
                                fyi, we don't allow tracing of the internal apps nor of any run_only applications.

                                Scott
                                • 13. Re: shipping code
                                  425953
                                  Farhan,

                                  In connection to releasing commercial app. I am interested how actually to release upgrades from previous releases of the same htmldb application? Is there a reasonable way to automate this (like autoupdate proc/function)?

                                  Pete
                                  • 14. Re: shipping code
                                    VANJ
                                    Hm, that is an interesting idea.

                                    Could the app have a button that says "Check for updates"?

                                    The button would go to some URL that has a checksum of the full app export. It knows the checksum of the current application.

                                    If the checksum is different, fetch the full app export (.sql file ) and run it to update the app.

                                    Is this kind of stuff possible? Has anyone done this?

                                    Thanks.
                                    1 2 Previous Next