Archive for the 'Application Development' Category

Security vulnerabilities in Crystal Reports web apps

Saturday 18 February 2017 @ 6:27 pm

A Crystal Reports web development team has posted in the SAP forums about some security weaknesses in the .NET web deployment model. They are trying to get the attention of SAP, without success so far.

It appears that this team deployed a .NET web application using the Crytal Reports runtime engine. During a security audit they uncovered some serious vulnerabilities. It appears that they weren’t able to get the SAP support team to look at the problem because they do not have a support subscription, so they posted it to the forum as three question. From what I have read they are trying to walk the line between highlighting the seriousness of specific vulnerabilities, while not making these same vulnerabilities easier to exploit.

Those of you who do .NET web development might want to check out the following links (some of which appear to have been deleted as of 3/6).

Link 1 (131436) (deleted)
Link 2 (130250) (deleted)
Link 3 (133449)

And thanks to Ido Millet of Millet Software for pointing these posts out to me.

Prior versions, service packs, runtime and merge modules

Tuesday 12 August 2014 @ 11:17 am

I had to track down some older versions of Crystal Reports along with service packs and runtime modules. I found some useful links and want to put them all in one place so that I don’t have to hunt them down again.  Others might find this useful so I have posted them below.

Of course, the problem with pages like these is that they don’t age well. These links will probably expire or change. Some of the downloads will go away as SAP stops supporting the older versions. So that is why some of the links below are redundant. If you find that a link has expired, please let me know.

Version downloads and service packs (SAP)

Version downloads and service packs

CR XI downloads and service packs

CR 2008 service packs

CR 2008 SP 6 supported platforms

SAP Downloads search page

Code Search Pro 2014

Thursday 7 August 2014 @ 1:14 pm

Find It EZ has just released version 14 of their code search software. It is now called Code Search Pro Desktop 2014. The new features for Crystal users include the ability to go through a batch of reports and:

  • Verify the database
  • Change the data source
  • Set the table alias names
  • Create a database cross reference report

Also, the tool now creates an index of scanned documents which makes searches faster.  And it is certified to support  SQL Server 2014, Oracle 12c, MySQL 5.7 and DB2 10.5.  See the Find It EZ website for a free 14-day trial.  Or you can use the new option of Code Search Pro in a Saas model.  This allows you to use it fully for 90 days, with unlimited support, for $99.

Automatically fill in “Overridden Qualified Table Names”

Monday 7 July 2014 @ 10:55 pm

This post will only be useful for developers who create reports that need to be launched from an application. I have written before about property called “Overriden Qualified Table Names” or OQTN. Filling in this property makes it easier to point the report to a different connection at runtime. The OQTN property starts out empty for each table. To use it you go into the properties of a table in “Set Datasource Location” and enter that table’s name into the OQTN property. You have to do this for each table, view or stored procedure in the report. It surprises me that this property isn’t filled in automatically at the time the table is added, like the table alias property.

A few months back a user contacted me because Continue Reading »
Automatically fill in “Overridden Qualified Table Names”

Source Code for RPT management software for sale

Saturday 14 June 2014 @ 10:27 pm

Cortex systems has two software packages that allow you to manage your RPT files. They are:

Report Analyzer – Allows you to search, cross-reference and document your reports
Object Compare – Finds all the differences between two objects, including RPT files and several other object types.

The developers at Cortex are changing their focus and are interested in selling the source code and IP for these two products. Anyone interested in finding out more can Email

Limitations in the Crystal Reports .NET runtime

Friday 29 November 2013 @ 10:36 am

I am not sure how many of you will have use for this info, but I have one customer who ran into an unknown limitation in the Crystal Reports API (.NET). He was using FindItEZ to track changes in a very large and complex report. The report had one section divided into over 400 subsections and certain subsections weren’t being identified correctly. Instead they were repeating as “phantom” duplicates. So the team at FindItEZ did some testing and Ken Gnazdowsky reported what they considered a bug in the .NET API.

But, after some discussions with SAP they were told that the .NET API can only keep track of 104 subsections in any one of the 7 major sections:

Report Header/Report Footer
Group Header/Footer
Page Header/Page Footer

So if you go past 104 in any one section (past subsection label ‘cz’) then the API loses the Continue Reading »
Limitations in the Crystal Reports .NET runtime

Technical documents for Web deployments

Tuesday 29 October 2013 @ 11:29 pm

I recently posted a comparison of the engine used by CR Server/ BOE and the runtime engine used by application developers. The key difference is going to be in performance, especially in high volume environments. For those of you who still plan on using the runtime engine there is a great pair of documents that explains how to get the most out of your hardware/software combination.

The first one is newer and is designed to help you select the most appropriate engine for your deployment and explain the differences between the engines. It then highlights the advantages of the more expensive engines while giving you a method to estimate the number of supported users in the runtime engine. The one thing that this document doesn’t do is provide specific techniques that you can use to maximize throughput of the runtime engine.  But there is an older document that fills in this gap. I have confirmed with the folks at SAP that this older document still applies in .NET runtime deployments.

If you have any trouble locating these documents because the links have changed, please let me know.

CR Server vs the CR Runtime Engine

Tuesday 15 October 2013 @ 9:17 am

I read a forum thread where users were comparing the different web deployment options for Crystal Reports. One post, by Blair Wheadon of SAP, gave a good comparison of the two different CR engines.  He compares the one that supports CR Server/BO Enterprise with the CR runtime engine that supports home grown and third party web applications. He has given me permission to post it here:

Its important to understand the differences between SAP Crystal Server, and other server reporting products based on our runtime engine.

Our runtime engine is designed and licensed to add reporting to server applications. It is a lightweight, embeddable component engine without any security or scheduling built it. It is limited to processing a maximum of 3 simultaneous report requests. It is designed to run within the web server itself. Server products like those sold by Reportal and Christian Steven depend on this limited runtime engine, and add their own scheduling functionality.

SAP Crystal Server however is the same technology used by our high-end SAP BusinessObjects Business Intelligence product, with some limitations that allow us to price it very aggressively. It includes support for Xcelsius dashboarding, the new Explorer tool for casual BI users, Sharepoint and Office integration, Active Directory and LDAP security integration, scheduling, and new Enterprise-class features to reduce the cost of ownership like lifecycle management (for promoting reports between test, development, and production), auditing, and monitoring to ensure uptime.

Unlike the limited runtime engine, the SAP Crystal Server report engine uses all the server resources available, including page-level caching, and unlimited threads to effectively manage load. Plus it now includes entry-level BI functionality like dashboard support, the Explorer tool for casual BI use cases, and support for 64-bit servers.

The major limitations are: limited to a single server, no support for ERP integration (like SAP integration or Oracle integration), mobile support available only as an add-on, and it does not include Web Intelligence. None of these limitation are material to customers looking for a simple reporting server.

It does not use CPU licensing, so you can throw as many CPUs at your reporting problem as you want (as long as you’re on a single server) , and deploy to either virtual or physical servers without any licensing impact.


Reduced fonts when exporting to PDF

Wednesday 25 September 2013 @ 12:12 pm

I thought I had written about this before, but apparently I have only mentioned this in forums and never on my own blog. When you export a Crystal Report to PDF, by default Crystal will reduce the fonts by around 5%. Most people don’t notice this, but in some situations this causes problems. The solution requires that you go into the registry and add some keys. Finding where to make the change and what the change should be is a bit tricky because there is an older method and a new improved method.

The older method requires Continue Reading »
Reduced fonts when exporting to PDF

Printing QR Codes within your Crystal Reports

Monday 12 March 2012 @ 8:05 am

I have written before about using Bar Codes in Crystal Reports, but recently two different customers have asked me about including QR codes on their reports.  For those of you who have not seen them, QR codes are the square scan codes that have small boxes in each  corner.  Here is a QR Code for my Email address:

QR code for my Email address

The advantage of QR codes over traditional bar codes is that they have extra error checking built in, which means that even a slightly blurry scan, such as one done by a smartphone or tablet camera, can still be decoded and used.

There are several ways that you can incorporate QR codes into Crystal Reports.
1) If you have a single QR Code, or a small number of them, then you can use a free web based QR Code Generator to generate the image.  You can then insert the image into the report.  If you have several you could Continue Reading »
Printing QR Codes within your Crystal Reports

«« Previous Posts

Recrystallize Pro

Crystal Reports Server