RE: [docent_users] Re: SCORM and sql injection error

Joe,

Thanks. I’ll take a look at those…

Robert

From:
docent_users@yahoogroups.com [mailto:docent_users@yahoogroups.com] On Behalf
Of Joe Kyle
Sent: Thursday, November 20, 2008 12:36 PM
To: docent_users@yahoogroups.com
Subject: [docent_users] Re: SCORM and sql injection error

Hi Robert,

I think you need hotfix 12023, and possibly 12238 might be helpful as
well. Both should be in the most recent aicc_scorm_cumulative_fixes
rollup hot fix.
--
Joe Kyle
--jjkd--

--- In docent_users@yahoogroups.com,
"Robert Taylor" <robertt@...>
wrote:
>
> I have an Reference Install of SP4 (binaries are 6.5.0_348145) and
a SCORM
> course created entirely in Flash. However, it is failing to execute
> properly and the log files are indicating a sql injection error
(see below).
>
>
>
>
>
>
> 2008-11-20 19:53:46 [0xfec] (1) Possible SQL injection attack
detected for
> the following SQL statement(DECLARE
>
> longVar0 long default
>
> '({student_data:{mastery_score:"70"}, .})';
>
> BEGIN
>
> UPDATE DRAICCOptionalDataElement SET optional = longVar0
>
> WHERE learningActivityTranscriptID = 4401 AND systemID = 'A1';
>
> END;)
>
> 2008-11-20 19:53:46 [0xfec] (12) Script log
> lib/dbobject.jsm(341):catcher.sendResponseSCORM=(error=-
1&error_text=Javascr
> ipt%20exception%3A%20lib%2Fdatabase.js(147)%3A%20Unknown%20Error%20
(Invalid%
> 20SQL%20detected)&version=3.4&aicc_data=)
>
>
>
>
>
> I know this is related to the change that was made in hotfix 11840
to
> prevent SQL injection by stopping any Oracle code that had semi
colons in it
> from executing against the database, but this is the first SCORM
course I've
> seen fail under this environment.
>
>
>
> Has anyone seen this before with SCORM courses?
>
>
>
>
>
> Thanks,
>
>
>
> Robert
>