Roads ? - where we're going, we don't need roads ...
Oracle News Aggregator | ORA600
ORA600 content Content RSS
Oracle ORA600 News RRSS Oracle News RSS
ORA600 blog Blog RSS
ORA600 blog Blog Atom

User login

Oracle News Aggregator

Hotsos 2010 - Day 3 - An excellent one (part 2)

In the end my work call fell through so I had the unexpected opportunity to see Marco Gralike's XML presentation. Despite the fact that he was scheduled opposite Tanel Poder talking about performance fundamentals, which impacted the number of attendees, I thought it was terrific. I had my own brief flirtation with XML around 10 years ago but, contrary to my expectations, there was lots for me to learn here and it was interesting to see how much more mature Oracle's offering is these days. I suppose 10 years is a long time, but a lot has happened while my back was turned.

The slides were excellent, the pace was good (although he did run over a little) and I could actually understand what he was saying for a change ;-) I walked away very impressed and when I was talking to a couple of his attendees at the bar later, it seems I wasn't the only one.

Another unexpected bonus was that Henry Poras had to cancel for personal reasons and although I was extremely disappointed by that because we share interests, replacements don't come much better than former Sun luminary Bob Sneed, who is now an independent consultant, available for hire.

His presentation was about one of his favourite topics, CPU Quality of Service. Rather than just measuring how much CPU is available or being used, we need to drill down into how it is being used. Even a 100% busy system does have available CPU really when you think about it, because if we could make our application more efficient, that would release CPU or perhaps we're exceeding our SLAs and could reduce CPU consumption and still reach our SLA targets?

But, most of all, it's about the quality of the resource delivered to applications that need it. He walked through a number of case studies of 4x to 16x system performance improvements, some as simple as changing scheduling strategies and some down to bug fixes or application architecture tweaks to improve Cycles Per Instruction (CPI) figures. Chip architectures seem complex these days so although the O/S thinks the CPU is busy, who knows what it's busy doing?

My final presentation of the day was Kerry Osborne's Scripts. I enjoyed his presentation as much as I enjoy his blog posts. He's a very down-to-earth and modest guy but clearly has shed-loads of practical experience and a great way of communicating it. He was bothered a little by a slightly slow network connection but, frankly, I don't know what he was whining about. That man has no idea what a demo problem is! ;-) I really liked his attitude towards his scripts, too - take them, use and abuse them, knock yourself out! Well, his scripts have helped me many times over the past year. A good guy.

After that, I was just about ready for a beer so adjourned to the bar with Marco hoping to catch up with Kerry and buy him a beer I'd promised him. It was 4:30 at this stage and I lazily decided to skip the last session. The usual daily tiredness was starting to kick in which wasn't helping but, in retrospect, curing it with alcohol probably wasn't the smartest strategy! Carol Dacko and Kevin Closson showed up and it was good to get another chat with them because I don't get to see either of them often. Kerry turned up eventually and, although I may have bought him that promised drink, I'd have to admit that he did all the leg-work by going to the bar and bringing a large round of drinks back. Saved me a trip ;-)

Slowly it began to dawn on me that my planned trip back to my room to freshen up and change before the party was in jeapordy as the clock ticked around until 7:30 and I noticed Kyle Hailey's other half unbuttoning his shirt to the navel in preparation for Disco Night.  (Check the start time above - 3 hours drinking *before* the party and, as usual, no food.) It's little wonder that I was quite as drunk as I was, unusually so, believe me. Although I think I just about managed to behave myself, it was a close-run thing. As I pointed out to Alex and Marco, you always know when a Scotsman is truly drunk because he starts declaring  his undying love for all and sundry. I think at one point I was actually trying to seduce Alex, but he was having none of it! Oh, my god, I think I was dancing for a few minutes!

Time to draw a discrete veil over the day, I reckon.

Liveblogging at confoo: Can Twitter make money?

subtitle: Monetizing Social Media

Why is social media and social networking essential to you and your business? (because it will drive sales, but there’s very few analytics for ROI on social networking and social media)

Relying on advertising is no longer working for print newspapers and television. So why do we think it will work on internet media?

Blogging — you must post 2-4 quality blog posts every week to maintain readership. This takes a lot of work! Content is king.

No matter how cool the technology/product/service is, people still buy more often and more easily from people they know and trust.

Social media is a way to show people that you are an industry expert, and that is how you should use them (not to spam and only say “buy my product”).

If you do not love your job and try to sell it (say, on social networking), you are going to fail, because you are not passionate about it.

Start small, do not promise a lot, it is better to have more to say than to have dead air time (radio analogy).

Social media is all about building good relationships by having good content that people trust.

Lots of people spend a lot of money on their website, but the website is just a vector to show people your content, and the content is the most important thing.

Cross-pollination – I think he means forward on information you learn (like, say, liveblogging!)

Get expert guest bloggers — he did not explain that you can leverage the relationships you form by asking them to blog. We do this with the Log Buffers….

How to make money:
sponsorships
white paper composition
paid articles
consulting
adjunct tie-ins to other related venues
branded blogs

I am personally disappointed because I wanted to learn more, and I feel as though Pythian already uses the knowledge presented — we have great exposure through our blog, and have started really using Twitter, Facebook and other social media sites, etc.

Hansen’s information was good, and absolutely 100% correct, but I felt that for me it was very basic. I would like to know some more advanced topics, like:
- How do you know when you have reached the tipping point?
- How do you convert anonymous readers/followers to people you know, without turning them away because they feel they’re being watched, spammed or don’t want to give out their info to you?
- When does copy/paste to send out your information start to bother people, how do you know how not to do too much?
- How do you convert readers/followers (anon or not) to paid customers without making them feel like you’re all about $$, what about if you have some free content and some paid content, how do you know how much to have?

Things you have in common with Larry


Larry and I have something in common -- We both like sailing!
I prefer catamarans to trimarans, but hey all those design experts were proven right - the BMW ORACLE Racing Trimaran [BOR90]is arguably the fastest sailing boat ever built. I did a lot of sailing back in Australia where I owned a small cat. In fact a good mate of mine Kevin Crowley of Pacific DBMS (free plug least I could do ... and they offer APEX Consulting services as well) still has it in his back yard.

Now something else Larry and I have in common - We both like Application Express.
Larry has been a big supporter of Application Express since the beginning.
Sergio Leunissen, former APEX PM and now in the Linux group, developed an APEX application for the BMW ORACLE Racing team when they first started out years ago.
Again with the 33rd America's Cup challenge the team used APEX together with Data Mining to support the team.

Listen to this podcast from Ian "Fresh" Burns, design coordinator for the team on how Oracle technology helped the team to win the America's Cup: http://feedproxy.google.com/~r/OracleDatabaseInsider/~5/nussC-gxZFQ/8576609_Ian_Burns_030810.mp3

Cheers,
David

On my way to NZOUG…

Today is the day I fly to New Zealand to present at the NZOUG conference.

I got to the airport 2 hours before the flight as usual, but I’ve been here 3 hours already and I’ve still not boarded the plane. I have a long wait at Dubai, so this delay shouldn’t affect my connection. It’s 7 hours from Birmingham to Dubai, then 18 hours (including a fuel stop in Melbourne) to Auckland. I have a feeling I’ll look like “Dawn of the Dead” when my friend picks me up from Auckland Airport. I’ve not even started yet and I’m already kinda nervous. The thought of 18 hours on a plane is really getting to me. I only hope I can get some sleep on this trip.

It’s about 5 minutes to boarding now so I need to go through my last minute panic session before getting on the plane. :)

If there is ever another blog entry it means I made it. If not, it was nice knowing you all…

Cheers

Tim…

Oracle Online Demos and Tutorials

I am sure most of you are already familiar with these resources but sometime we all  forget where to look for quick help when is really needed.

I find these demos and tutorials very valuable .You can quickly find out what needs to be done to successfully implement particular feature without spending too much time digging Oracle documentation and other resources ( of course I strongly recommend reading Oracle Documentation before doing anything).

You can find them at  Online Demos and Online Tutorials

Oracle 11g R2 is also included.




Everything is a Bit Bucket

By: Michael O'Neill
@oraclenude
oraclenude.crisatunity.com

In response to Chet's frustration over yet another encounter with a database agnostic, I wanted to contribute my first article to the oraclenerd franchise. My thoughts seemed too long for the comment stream.

I ascribe the kernel of thought behind "the database is a bit bucket" primarily to each and every database vendor that ever existed. Every database vendor, in an effort to persuade users of competitive products to adopt their product, has participated willingly in espousing some core aspect of how "same as the other guy" their product is in addition to whatever differentiation pitch they have.

Now, the generally weak-minded and lazy developer (yes, I think the majority of developers are in fact weak-minded and lazy) latches on to the vendor's selective "sameness" claims for professional and personal reasons. (full disclosure: I am both an Oracle DBA and .NET developer)

Professionally, because they are financially invested in writing third-party code not database code. To them, the less they spend learning and understanding the particulars of things like databases, operating systems, networks, human beings, etc. the better. Personally, because there is a dominate thread in the culture of developers to dismiss the database as interesting or meaningful. It is a form of heresy to show affection towards any platform in any specificity.

This is why Java's Big Lie of "write once, run any where" swoons so many. Java's Big Lie is analogous to "the database is a bit bucket" by declaring that even the language of software code should be as absolutely interchangeable as possible - even at the expense of being cost-effective or useful. There is an unquestioned faith that decoupling everything from everything is a good thing. This faith gives us code that is as far from the simplest thing that could work from the first moment writing the code is undertaken. It is a faith I reject. That's why I'm an ORACLENERD.

P.S. I know oraclenude and oraclenerd is confusing. It's supposed to be.


Hotsos 2010 - Day 3 - An excellent one (part 1)

Well, that was a nice start to the day! Someone came up to me just before Wolfgang Breitling's presentation to point out that something from my presentation had helped him fix a problem at work last night. It was the OEM Raw Data drill-down that shows you the underlying ASH data for sessions, including backgrounds. He'd used it to identify the timed event leading up to a problem with a crashing smon process. Actually, the more people I speak to, the more I get over the presentation. Most people recognised I made the best of a bad situation but I'm glad that someone actually learned something, too!

Wolfgang's "Anatomy of a SQL Tuning Session" was one that I managed to miss at UKOUG and I'm glad I made it this time. It revolved around taking a single SQL statement that took 9 minutes to execute and walking through various tuning iterations, using modern tools and optimiser possibilities, leading to a sub-second execution time. It was a natural extension of Wolfgang's Tuning by Cardinality Feedback that I've often recommended to colleagues. He covered a variety of techniques including :-

- Converting parts of the statement to scalar sub-queries
- Subquery factoring
- Transitive closure, with a useful tip that it may be worth experimenting with specifying apparently redundant join predicates to give the optimiser more information to work with.
- Using the Outline part of 10g DBMS_XPLAN to identify the set of hints that would create a specific plan and then using some of them yourself (but this is far easier if you name your query blocks).

What I particularly liked about this presentation was the way that Wolfgang illustrated execution plan steps and changes with some nice slides, highlighting a few steps at a time. But it made me feel a lot better about my mobile phone going off the previous day when Wolfgang's *own* mobile went off during this one ;-)

Next up was Neil Gunther with "How to Quantify Oracle Scalability - Part 1", a presentation about applying his Universal Scalability Law (USL) to Oracle systems. There were quite a few high-level points I picked up from this.

People often assume that the purpose of a model is purely to predict the future but it's probably just as (or more) useful as a method of validating test results because in his view 'Data comes from the devil and models come from god'. I'm not sure I agree with that. Test results, even incorrect results, represent reality to me that can't just be explained away by Maths which doesn't agree with them but I suspect that's my peculiar perspective. I much preferred the suggestion that we use models and data together because, whilst he might not trust my data, maybe I don't trust his model yet?

He talked about how the USL allows for the phenomenon of reduced throughput as workload increases which is something I think I've seen before by adding Coherency to Amdahl's Law. The USL is definitely worth more investigation. As a non-mathematician, though, I suspect I always struggle with this stuff.

Which was why I was *so* relieved that I made the tough decision to skip Riyaj's presentation and stayed for the second part of this two-hander by Peter Stadler - "How to Quantify Oracle Scalability - Part 2". This was a more practical examination of the USL in relation to Oracle systems and as someone who is very interested in performance in general and the relationship between Response Time and Throughput in particular, this hit the spot. What was slightly bizarre, though was when I recognised the URL for this blog post and the test results come up on screen. I think I'm right to say that this is the second consecutive Hotsos Symposium where this one post has been discussed (by Cary Millsap last year) so I must be doing something right ;-)

Peter spent the next 20 minutes or so talking about some of the comments on the post and plugging the results into the USL. I must admit to being slightly surprised by the fact that Peter didn't think to drop me a mail to let me know he was going to talk about it so much because I might have missed it and it was fascinating! He talked about the lack of detail in the results, but that was because the blog post had an extremely simple message - are you looking for High Throughput, Low Response Times or both? Regardless, if he'd asked me, I could have given him some more information to work with. For example, there was some discussion about measurement errors in data and performing multiple runs to address that which is something I did, but only published one set of fairly representative results.

So it was all a bit strange and unexpected, but utterly fascinating to see someone apply a mathematical approach to my empirical results. I hope that Peter might post the slides and add a URL to the blog post so that everyone can share what he found. I think that's the point of the comments thread and of blogging in general - sharing information and knowledge and building a discussion.

Next I managed to eat a little bit of much-needed lunch with Paul Matuszyk and then had to get ready for my important work call.

Approaches for Discovering Security Vulnerabilities in Software Applications

Hello, this is Denis Pilipchuk again.

Hearing about a critical security issue in a product is one of the most feared situations for a product manager. Vulnerabilities, in addition to compromising the security postures of customers using the affected products, impact the bottom line of software vendors as a result of the direct costs associated with the release of the patches, as well, as indirect costs generated by customer lack of confidence..

In a previous blog entry, Darius Wiles explained that a majority of security defects in Oracle software are detected and fixed without ever reaching customers. This is because Oracle's goal is to provide security defect-free products and has significantly invested in various security tools and programs to achieve that goal. Apart from the efforts of the Ethical Hackers from Oracle's Global Product Security (GPS) team, the development teams at Oracle have several additional resources available to them.

Regular code reviews are the front line of defense when attempting to prevent vulnerabilities in released software. While regular code reviews may not catch every vulnerability, especially the most complex design issues, it does provide an effective safeguard against such pesky errors as improper checks for boundary conditions, failures to release the resources and handle exceptions, as well as general adherence to the product's design specifications (including its security part). This activity may be carried out in different ways: by outside consultants or by the development teams themselves. Key success factors in the effectiveness of regular code reviews are the technical expertise of the reviewers and their understanding of the product type they review. In Oracle experience, it generally works best when product teams are deeply involved with the reviews themselves, because they have the most direct knowledge of the code base and the new features being introduced. Of course, reviewers need to be knowledgeable in security coding, and their expertise must be maintained through ongoing security training. In addition, as much as possible, case-based training is desirable, so as to exposing reviewers to the proper context of their job.

The second line of defense involves the use of various code analyzers. Code analyzers should be used regularly during the entire development lifecycle. In fact, the use of these tools should be encouraged as soon as there is buildable code checked into the source repository. The tools should then be used regularly, for example - with nightly builds, or separately and with less frequency for larger products. Typically, these tools trace inputs (sources) and outputs (sinks) to analyze control flow and permutation of "tainted" data through different code paths in the tested software, and check more general code quality issues (like exception handling and hardcoded passwords) along the way. It is most inexpensive to fix issues when vulnerabilites are discovered at this stage because they only require making a bug entry against a developer and a code fix be produced.

Choosing the right tool for the job is extremely important. The tool needs to provide an appropriate coverage across the different languages (like Java, C/C++) and technologies (like Adobe Flash). We have found that tools are not necessarily equally efficient on all languages and platforms: a tool, which works great on C/C++, does not necessarily perform appropriately for Java, even if it claims to support it.

Unfortunately, not all classes of security vulnerabilities (and definitely not instances) can be found using static analysis tools. While these tools can usually discover certain classes of security vulnerabilities, such as Buffer Overflows, Cross-site scripting, and SQL Injection), pretty effectively, they are not helpful for other classes of issues, especially those related to weak design choices, such as key and credentials storage. Furthermore, all static code analyzers by design tend to be verbose and suffer from a significant number of false positives. "Training" static analysis tools to reduce false positives is usually possible, but this requires significant time and investment.

Another issue with static analysis tools is related to "false negatives", i.e. instances where the tools report the code to be secure, when it isn't. Recent research, including the SATE project by NIST, reported that static analysis tools from all of the participating major vendors generated significant (up to 50%) level of false negatives. While the exact percentage of false negatives may be the subject of endless controversy, it is clear to me that, as a matter of good security development practice, static analysis tools should be supplemented by dynamic testing in order to reduce the number of vulnerabilities in complex software.

Dynamic testing tools such as blackbox and graybox testing applications, and various types of fuzzers, comprise the third line of defense. These tools are executed against a running product instance (or a group of products), and as a result, can only be utilized toward the end of the product release cycle, when QA testing begins. All of those tools are based on a similar principle - they mimic the behavior of a rogue client and use a variety of pre-built known attack patterns to hit the server's exposed network interfaces with one of more malicious exploits, checking return values (or their absence) to find out whether the attack was successful. Note that proper care should be exercised when using these tools because, among other things, they can actually trigger alerts with the IT security staff. This is because the use of dynamic testing tools, from an Intrusion Detction System perspective, can look like a real attack.

Graybox tools have the added advantage of knowing the "internals" of the applications being tested: they can instrument the application during the build to add realtime monitoring of their behavior during a simulated attack. Blackbox and graybox testing for assessing web applications usually takes place over the HTTP/HTTPS protocol. There exists an overlap between the classes of security issues that can be checked by Web application dynamic assessment tools and those that can be discovered by static tools. However, dynamic tools usually report additional vulnerabilities, not generally caught by static analyzers, because in practice it is impossible to analyze all execution paths within the application for every possible permutation of input data. In addition, unlike static code analyzers, which often report on only theoretically exploitable issues, dynamic tools tend to result in more precise and practical reports. Although not 100% false positive-free, dynamic tools usually provide clearer information, showing request path and parameters that lead to the vulnerabilities.

Fuzzers constitute a special subcategory of dynamic tools and are typically used for protocol-level verification. Fuzzers are designed to break a server by submitting permutations for a valid message to see whether one of them will cause an unexpected/undesirable behavior such as a denial of service. Typically, fuzzers operate at a lower, protocol level, than blackbox Web application testing tools, which work at the application level. Specialized fuzzers are available for pretty much any well-known protocol (such as HTTP, FTP, SOAP, etc.), as well as custom frameworks for developing new ones. Protocol-specific fuzzers generally possess a great deal of intelligence about the protocol they're designed to test, and its message structure, checksums, and features. This results in better, more intelligent testing of the targeted protocol, whereas lower-level fuzzers (for example - PCAP fuzzer) do not have that knowledge and often try to change data blindly (or depend on the tester to define the anomalies).

For a number of years, Oracle has been investing a lot of time and money in deploying various tools to catch security problems before software is released to customers. Furtermore, most recently, we have observed that a growing number of customers' security teams have started running their own assessment tools, utilizing many of the same tools Oracle has been using. I feel that the growing adoption of these tools by customers will put additional pressure on those vendors who may not have yet adopted robust secure development practices. The proper use of a combination of tools, people, and processes, demonstrates due diligence in establishing and running an efficient security assurance programs and ultimately a commitment to the security posture of customers. The proper use of security tools is an integral part to this commitment.


Liveblogging: HTML5 – Confoo Keynote

What is confoo? It is the sequel to the PHP Quebéc Conference (2003 – 2009). This year PHP Quebec decided to team up with Montreal-Python, W3Quebéc and OWASP Montréal to produce confoo.

And now, on to Mark Pilgrim of Google speaking on HTML5.

Timeline
1991 – HTML 1
1994 – HTML 2
1995 – Netscape discovers web, ruins it
1996 – CSS1 + JavaScript
1996 – Microsoft discovers web, ruins it
1997 – HTML4 + EMCAScript1
1998 – CSS2 + EMCAScript2 + DOM1
2000 – XHTML1 + EMCAScript3 + DOM2
2001 – XHTML 1.1
[long break!]
2009 – HTML 5 + ECMA5 + CSS 2.1

HTML5 is not a spec, it’s a marketing term. It’s really HTML5 + CSS3 + JavaScript.

IsHTML5ReadyYet.com and IsHTML5Ready.com are both real websites that give different answers to the question “is HTML 5 ready?”

Semantics
HTML started as a semantic language (until Netscape came along).

New elements (html tags) that do not do anything – they are for semantic use only:

<header> <footer> <section> <article> <nav> <aside> (pull quotes and such) <time> (datetime markup) <mark> (marking up runs of text) <figure> <figcaption>

Instead of “div class=_____” use these tags….for example:

<body> <header> <hgroup> <h2>page title</h2> <h3>page subtitle</h3> </hgroup> </header> <nav> <ul> Navigation...... ..... </ul> </nav> <section> <article> <header> <h2>Title</h2> </header> </section>

Caveat: This doesn’t work in IE but there is a workaround…..

This can help blind people navigate better….and bots too!

“Google is just another blind web user with 7 million friends”

Forms
Web forms 2.0
To make a slider from 0-50:

<input type='range' mix='0' max='50' value='0'></input>

To use autofocus:

<input autofocus>

(works in 3 browsers)

Talking about blind users again: “Focus tracking is VERY important if you can’t see. You really need to know where on the page you are, if you start typing what will happen.”

Placeholder text — in a text box, that light text that goes away when you click:

<input type='text' placeholder='click here and this will disappear'>

(works in 2 browsers)

New input types
These are semantic types, do different things in different browsers

<input type='email'> (on the iphone you get a different keyboard, by default you just get a textfield, so these things degrade gracefully if the browser does not support the feature) <input type='url'> (a browser like <A HREF="http://www.opera.com">Opera</A> can validate a URL for you instead of you doing it yourself!) <input type='datetime'> (and more...date pickers are tedious) <input type='file' multiple> (multiple files without using flash!)

For all the inputs HTML5 supports and which browsers support them (Opera is leading the way) search for “HTML5 input support”

Accessibility
ARIA = “accessible rich internet applications”. Alt-text is technology that’s long behind. ARIA does stuff like making tree views accessible. For example, right now with a tree view you have to tab through each item, which is a pain. With code like this:

<ul id='tree1' role='tree' tabindex='0' aria-labelledby='label_1'> <li role='treeitem' tabindex='-1' aria-expanded='true'>Fruits </li> <li role='group'> <ul> <li role='treeitem' tabindex='-1'>Oranges</li> <li role='treeitem' tabindex='-1'>Pineapples</li> </ul> </li> </ul>

….keyboard users can tab to the treeview itself, then use arrow keys to navigate and spacebar to select. This makes selecting an item at the end of a tree view much easier, and also makes it easy to move beyond the tree view without having to press Tab a million times.

Use your favorite search engine for “ARIA accessibility” to learn more.

CSS
Mark threw this image up on the screen:


(image from http://www.zazzle.com/stevenfrank – on that site you can buy this coffee mug or a T-shirt with the design)

Web fonts finally work in CSS3 – you can use more than Times, Courier, Arial, and occasionally Helvetica. This works EVERYWHERE – Chrome, IE, Firefox, Opera, Safari, etc. Well, it’s true that they all use it, but they all have different fonts they support. Read Bulletproof font face for tips on how to get the font you want no matter what browser is used (yes, even IE).

Opacity is easy [author's note - it's just the "opacity" element, see examples at http://www.css3.info/preview/opacity/].

Rounded corners are EASY – Mark’s slide passed too fast for me, so I grabbed an example from http://24ways.org/2006/rounded-corner-boxes-the-css3-way:

.box { border-radius: 1.6em; }

Gradients are easy [author's note -- looks like you need webkit, there's examples at http://gradients.glrzad.com/]

To test CSS3 stuff, use www.css3please.com – “This element will receive inline changes as you edit the CSS rules on the left.”

[Author's note -- while searching I found http://www.webappers.com/2009/08/10/70-must-have-css3-and-html5-tutorials-and-resources/ which is definitely a "must have".]

Canvas
A canvas is a blank slate where you can draw whatever you want, use the canvas tag and id, width and height attributes, everything else is javascript. Pretty awesome. [Author's note -- Mark had examples but I did not have time to capture them. I did find a nice tutorial at https://developer.mozilla.org/en/Canvas_tutorial.]

Multimedia
Video with no flash! YouTube has HTML5 integration. Here’s sample code of how to do movies in HTML5:

<video src='movie.ogv' controls></video> <video src='movie.ogv' loop></video> <video src='movie.ogv' preload='none'></video> -- don't preload the movie <video src='movie.ogv' preload='auto'></video> <video src='movie.ogv' autoplay></video> -- if you don't have this you don't do evil autoplay....

Multimedia is in the DOM and responds to CSS effects, such as reflection:

<video src='movie.ogv' loop style='webkit-box-reflect: below 1px;'></video>

(this code might be wrong, the slide flipped fast)

Of course the problem — codecs. Right now, .ogv and .mp4 (h264).

Audio inline too, same problem — only .oga and .mp3:

<audio src ='podcast.oga' controls></audio>

Geolocation
IsGeolocationPartofHTML5.com is a real site, go to it to get the answer.
Geolocation demos — very much the same, find your location and display it. Simple but cool.

Cache manifest
Get everything you need for offline usage…

<html manifest='another-sky.manifest'> CACHE MANIFEST /avatars/zoe.png /avatars/tamara.png /scripts/holoband.jpg

search for “google for mobile HTML5 series” – good series of articles on using this stuff.

HTML 5 has much more
Local storage
Web workers
Web sockets (2way connections, like raw tcp/ip cxns over the web)
3D canvas (webgl)
Microdata (enhanced semantics)
Desktop notifications
Drag and Drop

Learn more:
whatwg.org/html5
diveintohtml5.org

Always Check Your Backups

So this is a 2 node RAC cluster on RHEL that was recently upgraded from 10.2.0.2 to 10.2.0.4. Since then clusterware restarts crs every few hours (8 in fact). A little research suggests that this can indicate problems with the automated OCR backup.  The first thing therefore is to check the state of the backups.

[server] $ORA_CRS_HOME/bin/ocrconfig -showbackup
server 2006/10/25 11:21:23 /u01/crs/oracle/product/10.2/crs01/cdata/cluster_name
server 2006/10/25 07:21:22 /u01/crs/oracle/product/10.2/crs01/cdata/cluster_name
server 2006/10/25 03:21:20 /u01/crs/oracle/product/10.2/crs01/cdata/cluster_name
server 2006/10/24 03:21:13 /u01/crs/oracle/product/10.2/crs01/cdata/cluster_name
server 2006/10/17 21:44:24 /u01/crs/oracle/product/10.2/crs01/cdata/cluster_name

yes that’s right nearly 3 1/2 years since a successful ocr backup. When did you last check yours.

Blocking Tools from using the database

I saw Charles Hoopers post titled " Why Doesn’t This Trigger Work â€" No Developer Tools Allowed in the Database " via my Oracle blogs aggregator and read it with interest as its related to issues i come across with....[Read More]

Posted by Pete On 10/03/10 At 11:08 AM

Developers Against Inappropriate Concatenation

Tom Kyte is on record as wanting the abolition of "WHEN OTHERS", "Autonomous Transactions" and "Triggers". I think he's also mention COMMIT in procedures too.

For today's rant, I'm going up against the humble concatenation operator. Yup the double pipe ( || ), or concat if you want to be 'portable'.

Not entirely, of course. I'm not a zealot.I recognize that sometimes you'll need to join a State to a Postcode (or Zip code) when outputting an address.

But they should only be in the top-most SELECT. Not in a subselect, or a predicate. And definitely not if you are inserting the combined value into another column. The first rule about normalisation is you don't talk about normalisation. No, sorry that's Fight Club. But First Normal Form does include Atomicity, which means you shouldn't be gluing fields together. This is a data model, not an Airfix model.

If you do "column_a||column_b", you'll get confused about whether 'abc' was 'ab'||'c' or 'a'||'bc' and be lost.

Even if you are smart and stick some delimiter in there (column_a||'-'||column_b), you've lost your columns. Can't use them for Referential Integrity. Can't gather stats on them. The optimizer is going to get lost. If the original columns were numbers or dates, you've added datatype conversion into the mix. If both the original values were null, you've got nothing but a delimiter in the new field. Yuck.

But mostly, at some time in the future some poor blighter is going to have to come along and break them apart with obscure regular expressions. It may be me, and I won't be happy. And then you'll find out what I can do with a double pipe !

APEX: Create and Parse Arrays

It's been awhile since I've been able to work with APEX extensively, so I am rusty.

A question came up today whether we could get multiple values into a single variable (Item in APEX).

Yes we can!

APEX_UTILSNeed some data first:CREATE TABLE t ( some_text VARCHAR2(10) );

INSERT INTO t ( some_text )
SELECT dbms_random.string( 'a', 10 ) some_text
FROM dual
CONNECT BY LEVEL <= 5;

CJUSTICE@TESTING>SELECT * FROM t;

SOME_TEXT
----------
thrFXviVWJ
kpfGRRwctv
EVxNrcmBHC
gcBlHaKrLa
irYduOZfkSI want that table data to be in a single item. TABLE_TO_STRING is your function.VAR C VARCHAR2(100);

DECLARE
l_table APEX_APPLICATION_GLOBAL.VC_ARR2;
BEGIN
SELECT some_text
BULK COLLECT INTO l_table
FROM t;

:c := apex_util.table_to_string( p_table => l_table );
END;
/

PL/SQL procedure successfully completed.


C
-----------------------------------------------------------
thrFXviVWJ:kpfGRRwctv:EVxNrcmBHC:gcBlHaKrLa:irYduOZfkSEasy enough. How about converting it back to a table? STRING_TO_TABLE is your answer.DECLARE
l_table APEX_APPLICATION_GLOBAL.VC_ARR2;
BEGIN
l_table := apex_util.string_to_table( p_string => :c );

FOR i IN 1..l_table.COUNT LOOP
d( 'value ' || i || ': ' || l_table(i) );
END LOOP;
END;
/

value 1: thrFXviVWJ
value 2: kpfGRRwctv
value 3: EVxNrcmBHC
value 4: gcBlHaKrLa
value 5: irYduOZfkS

PL/SQL procedure successfully completed.Done.


Why Doesn’t This Trigger Work – No Developer Tools Allowed in the Database

March 10, 2010

In one of last week’s blog articles I asked why a SQL statement that had appeared in a book, was copied to various websites, and was offered as an example of good SQL simply did not work.  A couple of readers of this blog took up the challenge to offer suggestions.  I think that I found another example of blindly reproducing other’s code without verifying that the code works as expected.  What did I find this time?

http://www.orafaq.com/scripts/security/blocktools.txt

rem ----------------------------------------------------------------------- rem Filename:   NoTOAD.sql rem Purpose:    Block developers from using TOAD and other tools on rem             production databases. rem Date:       19-Jan-2004 rem Author:     Frank Naude rem ----------------------------------------------------------------------- CONNECT / AS SYSDBA; CREATE OR REPLACE TRIGGER block_tools_from_prod   AFTER LOGON ON DATABASE DECLARE   v_prog sys.v_$session.program%TYPE; BEGIN   SELECT program INTO v_prog     FROM sys.v_$session   WHERE  audsid = USERENV('SESSIONID')     AND  audsid != 0  -- Don't Check SYS Connections     AND  rownum = 1;  -- Parallel processes will have the same AUDSID's   IF UPPER(v_prog) LIKE '%TOAD%' OR UPPER(v_prog) LIKE '%T.O.A.D%' OR -- Toad      UPPER(v_prog) LIKE '%SQLNAV%' OR -- SQL Navigator      UPPER(v_prog) LIKE '%PLSQLDEV%' OR -- PLSQL Developer      UPPER(v_prog) LIKE '%BUSOBJ%' OR   -- Business Objects      UPPER(v_prog) LIKE '%EXCEL%'       -- MS-Excel plug-in   THEN      RAISE_APPLICATION_ERROR(-20000, 'Development tools are not allowed on PROD DB!');   END IF; END; / SHOW ERRORS

If you search the Internet you will find this piece of code, minus the header block, on various websites as recently as 2010, including in this OTN thread.  The idea of blocking development tools in a production database could be a valid goal, so I am able to understand the interest in the trigger.  What is wrong with the trigger?  Is it just a case that SQL*Plus could also be considered a developer tool?  What about the Crystal Reports development enviroment?  What if the developer created his own development tool to access the database?  What if… someone changed the filename of TOAD?  What if… the trigger doesn’t actually block Excel without any tricks such as changing Excel’s filename?

The contents of this blog article were tested with Oracle Database 11.1.0.7 with an Oracle 11.1.0.7 client, Excel 2007, and Windows Vista as the client operating system.  First, I created the trigger when connected as SYS, and then queried V$SESSION to find that only my SQL*Plus connection was listed.

Then in Excel 2007 I selected Get External DataFrom Other Sources:

When prompted, I connected to the database as a normal user:

I was then able to freely execute queries against the database using the Microsoft Query Tool, which would then allow me to very easily return the rows to an Excel spreadsheet.

OK, maybe the above is cheating… a little.

But, what is the point in blocking Excel with the logon trigger, is the trigger supposed to stop someone from firing up an Excel macro that uses ADO to connect to the database and retrieve whatever information the developer would like to see?  Kind of like this example:

The logon trigger that appears on several websites did not block my Excel connection – if you take a look at the first screen capture you will see that the logon trigger was created without error, and then I was able to connect with the Microsoft Query Tool and my Excel macro using a normal user’s account.  Someone want to try explaining what went wrong?  Must be that we need to file a Metalink bug report, after all, I saw this example on the news so it must be true.  :-)

Maybe Oracle Database 11.2.0.1 will respond more favorably (Oracle 11.1.0.7 client, Excel 2007, and Windows Vista as the client operating system):

While this code might have worked fine in 2004, it would probably make sense to test this trigger code before copying it to your website.  I think that this is worth repeating:

Lesson 1: if you plan to publish something, whether in book form or on the Internet, make certain that what you publish actually works (or at least looks like you put some effort into it) .

Lesson 2: if you plan to copy someone else’s work and post it on your website/blog make certain that what you copy and pass off as your own actually works.

Lesson 3: don’t trust everything that you read on the Internet or in a book without first verifying that the information is correct, even if you find the information on your favorite website.


Thank you for

Thank you for all those who attended my webcast today on SQL Plan Management for All India Oracle User Group. It was a privilege to present before you and to be able to address your questions. I am sorry I couldn;t read all the questions properly; since it was extremely difficult to see the questions scrolling up in the tiny chat window. Also, as the webcast was designed, I couldn't hear anything the attendees were saying.

The presentation and the associated SQL scripts are available here. The article I referred to can be found here.

If you have a question regarding that specific webcast, please post a comment here and I will address it here. Please, limit your questions to the material discussed in the webcast only.

Upgrade Workshop in Perth, Australia

This day is way to nice to run an upgrade workshops :-) 32°C outside (approx 90°F) and the beaches close by sounds VERY tempting. Nevertheless a lot of people came in so we might go for a swim after the workshop as our flight to the Philipines tonight just leaves at 2am in the morning.

When you go on travel for such a long time sometimes you have strange ideas.
But actually Roy's neighbor came across this one: Merrimack, NH is as far as away from Perth, Western Australia as possible on earth if you'd like to be on land and not in water. Actually it is not a 100% correct as a place called East Augusta which is about 370km away from Perth. But it would have been a bit harder to organize the workshop there.
2010_03_10_Perth_Merrimack.jpg
Distance: 11593 mi = 18657 km!!!

Gathering Workload Statistics

We refer in our upgrade talk to gather system (aka workload) statistics to give the optimizer some good knowledge about how powerful your IO-system might be. The optimizer since Oracle 9.2 takes CPU and IO costing into consideration. If you never have taken care on these stats you'll find default values in AUX_STATS$. These values have been defined a few years back. So it might be a good idea right a few days after upgrading to the new release to create them while a real workload is running. Taking these stats does not generate any overhead or performance degredation on your system.
2010_03_10_Perth_Stats.jpg
You'll create the system stats while there's workload on the system with:

exec DBMS_STATS.GATHER_SYSTEM_STATS('start');
exec DBMS_STATS.GATHER_SYSTEM_STATS('stop');

You could run this for several hours and you could revert with:
exec DBMS_STATS.DELETE_SYSTEM_STATS;

to the default values.

Now yesterday in Melbourne we had an interesting discussion after the workshop regarding the behaviour of DB_FILE_MULTIBLOCK_READ_COUNT when taking system stats. The Performance Tuning Guide has some interesting information regarding this so I'll quote it here:

13.4.1.2 Multiblock Read Count

If you gather workload statistics, then the mbrc value gathered as part of the workload statistics is used to estimate the cost of a full table scan. However, during the gathering process of workload statistics, Oracle Database may not gather the mbrc and mreadtim values if no table scans are performed during serial workloads, as is often the case with OLTP systems. However, full table scans occur frequently on DSS systems but may run parallel and bypass the buffer cache. In such cases, Oracle Database still gathers the sreadtim value because the database performs index lookup using the buffer cache.
If Oracle Database cannot gather or validate gathered mbrc or mreadtim values, but has gathered sreadtim and cpuspeed values, then the database uses only the sreadtim and cpuspeed values for costing. In this case, the optimizer uses the value of the initialization parameter DB_FILE_MULTIBLOCK_READ_COUNT to cost a full table scan. However, if DB_FILE_MULTIBLOCK_READ_COUNT is not set or is set to 0 (zero), then the optimizer uses a value of 8 for costing.

Once you have created system/workload stats it might be a good idea to duplicate them to your test system(s) as well even though the test system might have not this super-fast IO subsystem. But the optimizer will "believe" he would have ... Therefore use the procedure DBMS_STATS.CREATE_STAT_TABLE and transport the system stats with DBMS_STATS.EXPORT_SYSTEM_STATS and DBMS_STATS.IMPORT_SYSTEM_STATS procedures.

The "Database is a Bucket" Mentality

Front and center again...I just woke up from a nap, I'm grumpy, so I must write. Besides, I haven't had a good rant in quite some time.

Friend of mine asked me last week for some advice, specifically asking if there was a tool to convert Oracle SQL Syntax to the ANSI SQL syntax. (A quick search turned up this (it was the first result), if you're interested).

I had to ask why.

Client is switching to an open source database, i.e. "free." Oracle licensing is way too pricey.

I'm sure Oracle costs a lot of money, it's pretty darn good software. Quite possibly the best in the world especially in the database realm. I've written about the incredibly feature rich goodness that is the Oracle database here here...actually, just trust me. It's in my name.

Why is there even a comparison?

Could it be that everyone out there believes that the sole purpose of a database is to store data? That it can't do anything else? The storage and retrieval of data...that's all it does of course.

It's like saying the Democrats and Republicans are the same...at face value, perhaps, but the devil is in the details.

This, this "Bit Bucket" mentality is what is so incredibly frustrating.

I am no position to argue the differences between the various flavors of database, I lack the experience. But if I were using SQL Server, I would leverage the shit out of it's capabilities. If I were using MySQL, I would leverage the shit out of it's capabilities. If I were using Firebird, I would leverage the shit out of it's capabilities. Same goes for every single flavor out there. Get my point here?

The database is NOT a bit bucket!

Do I need to use more 4-letter words?

I know that Oracle is feature rich and that 99% percent of your code can live in the database...think APEX and PL/SQL. You could probably put ALL of your code inside the database if you wanted to put the javascript in BLOBs as well.

Please, please please quit telling me they are the same...they are not.


Blogroll Report 05/02/2009 – 12/02/2010

<—- Blogroll Report 29/01/2010 – 05/02/2010

1-How to simulate Oracle errors with simulator events

Dennis Yurichev-Oracle RDBMS internal self-testing features

2-How to decode dates in histograms?

Martin Widlake-Format of Date Histograms

3-How to decide the value of datafile resize option ?

Jonathan Lewis-Shrink Tablespace

4-All about network wait events

Kyle Hailey-Oracle: Network Waits

5-When does manual logfile switch trigger complete checkpoint ?

Lua Donghua-ALTER SYSTEM SWITCH LOGFILE and CHECKPOINT

6-When does “alter system archive log current” trigger checkpoint?

Lua Donghua-ALTER SYSTEM ARCHIVE LOG CURRENT and CHECKPOINT

7-How to secure java in Oracle and how to test public revocation?

Paul Wright-Securing Java In Oracle and DBMS_JVM_EXP_PERMS

8-Difference between case and decode in terms of trimming

Timo Raitalaakso-Equality -comparing text

9-How to upgrade ASM 10.2 to 11.2 single instance

Martin Bach-Upgrade ASM 10.2 to 11.2 single instance

10-How to use resumable operations in Oracle

Stewart Bryson-Data Warehouse Fault Tolerance Part 1: Resuming

11-How to restart your ETL process with restore points ?

Stewart Bryson-Data Warehouse Fault Tolerance Part 2: Restarting

12-How to use incremental backup for no logging operations for recovery in DW environments?

Stewart Bryson-Data Warehouse Fault Tolerance Part 2: Restoring

13-Beginners guide to index block dumps and treedumps Part-1

Richard Foote-Index Block Dumps and Index Tree Dumps Part I: (Knock On Wood)

14-NVL and COALESCE performance comparison?

Scott Wesley-Short-circuit Evaluations – moving away from NVL

Scott Wesley-One more COALESCE vs NVL example to finish the week

15-How to drill down and detail sys_time_model data vs2?

Charles Hooper-Working with Oracle’s Time Model Data 3

16-How to put gather_plan_statistics hint without changing the code by sql profiles?

Kerry Osborne-gather_plan_statistics

17-How to check/extract unsuccessful connection attempts in listener_log ?

Martin Bach-Check for non-successful connection attempts in listener.log

18-Why does Oracle use undo when there is already redo logs? (Must read)

Jonathan Lewis-Why Undo?

19-How to configure ASYNC-IO on HP/UX?

John Hallas-OER 27064: cannot perform async I/O to file – HPUX

20-How to convert cross platform single instance to RAC with RCONFIG?

Syed Jaffar Hussain-My experience of converting a cross platform (AIX to HP) single instance database to RAC using RCONFIG tool

21-How to backup Oracle to cloud storage ?

Alisher Yuldashev -Let Your Oracle Backups Be Up in the Clouds

22-Fundemantals of Performance Tuning (Must read)

Cary Milsap-Thinking Clearly About Performance

23-Solutions to Permission problems with fuse and DBFS

Kevin Closson-Oracle Database 11g Database
File System (DBFS). Common DBFS Problems and Solutions. Part II.

24-How to send execution plan to excell and show execution plans on web

Charles Hooper-Automated DBMS_XPLAN, Trace, and Send to Excel

25-Weird Transitive Closure behaviour in execution plan which causes ignorance of hints

Jonathan Lewis-Ignoring Hints-2

26-How to do initial server pool configuration before database creation in 11GR2?

Martin Bach-Server Pool experiments in RAC 11.2

27-Problems with usage of Append_Values and solutions

Gary Myers-Append Values and how not to break the database

28-How does Subquery factoring work?

Tim Hartley-Getting Recursive


Back Again

So if all goes well the blog should be back again, now powered by Wordpress. The blogger posts have made it back, but apparently 2006-2008 never existed. Fortunately it’s probably only me that cares.

Those who know me personally will know that I moved jobs, and therefore needed to understand what the “private blogging” position was, and also went through a year where my father-in-law died from Cancer and my mother was diagnosed with Cancer. Not all of the personal issues are resolved now, but hopefully I’ll get back into the regular posting thing from now on.




Howto's
See DUDE primer for info

Get Support

Europe

Belgium :
Kurt Van Meerbeeck
ORA600 bvba
E-mail
dude@ora600.be
Cell : +32 495 580714

Denmark :
Henrik Bjerknæs Rasmussen
Service & Support Manager
Miracle AS
E-mail :
hra@miracleas.dk
Cell: +45 25 277 110


North America

USA :
Tim Gorman
Evdbt Inc
E-mail
tim@evdbt.com
Cell : +1 303 885 4526

USA :
Daniel Fink
OptimalDBA
E-mail
daniel.fink@optimaldba.com
Cell : +1 303 808 32 82

Canada :
Pythian
E-mail
dude@pythian.com
Contact


Latin America

Brazil :
HBtec
E-mail
dude@hbtec.com.br
Cell : +55 47 88497639
Contact


Africa

South Africa :
Kugendran Naidoo
NRG Consulting
E-mail
k@nrgc.co.za
Cell : +27 82 7799275


East Asia Pacific

Australia
Alex Gorbachev
Pythian Australia
E-mail
dude@pythian.com
Cell : +61 2 9844 5431