Archive for the 'Application Development' Category

The Log4j vulnerability and Crystal Reports

Sunday 12 December 2021 @ 9:38 pm

Everyone has been talking about the new Java security vulnerability called Log4j. I have been talking to colleagues to determine if this affects Crystal Reports, Crystal Enterprise or anything else in the Crystal ecosystem. SAP put out a note that states that this vulnerability does not affect SAP Business Intelligence 4.2 or 4.3. It doesn’t mention earlier BI versions but these are no longer supported.

There was a support note about this topic, but nothing in the support note mentions Crystal Reports or the Crystal runtime engine used by third party applications. One of my colleagues said that since this is a Java vulnerability, it should not affect stand alone Crystal Reports, and I tend to agree. I also believe that if Crystal Reports were affected it would be mentioned in that support note. The same goes for the Crystal runtime files, but it would be nice if SAP responded specifically to these questions in the discussion above.

Last, thanks to Andrew Baines of Pursuit Technology and Danny Shahrabani of rePORTAL Software for helping me track down and make sense of the SAP support note.  If anyone else has info to share on this topic, please let me know.

Legacy apps that use the Crystal Reports runtime engine

Sunday 5 December 2021 @ 7:04 pm

I received this question several times, recently:

We have a legacy app that uses the Crystal Reports runtime. We want to use a later version of Crystal Reports, but still need the reports to work in our application. Is this possible?

The short answer is “probably not”. The longer answer involves a bit of history.

Crystal Reports, right from the beginning, provided a runtime engine that let you invoke reports from applications.  First there was the Print Engine API (1991) which used files like crpe.h, crpe32m.lib and direct calls like PEOpenEngine(),PEOpenPrintJob(). Then in 1995 they released an Active X component using the file Crystal32.OCX (this was included for free with Visual Basic).  In 1997 they released something called the Automation server using CPEAUT32.dll. These three different integration approaches worked side by side until 2001 when Crystal introduced the Report Design Component (RDC) which used the file CrAxDrt.dll.

The next year, when CRv9 was released, the RDC became the only supported integration method and the files for the other three methods were no longer provided.  Since CRv9 rpt files were not backward compatible, users had to choose between using their legacy code or upgrading Crystal Reports.  If they wanted to use the latest version of Crystal Reports they would have to rewrite their application.  Many chose to freeze their Crystal version, and some are still using CRv8x and one of the original three runtime engines.

Then in 2003 Crystal released a runtime engine for .NET. For the next few versions of CR you could choose either the RDC or the .NET runtime engine. But in 2008, when CRv12 came out, Crystal no longer supported the RDC.  Again users had to choose.  If you wanted your application to support the new features in CR 2008 you had to rewrite your application in .NET.   But, there was one difference.  A crystal report created in CR 2008 (or even CR 2016) is backward compatible all the way back to CRv9. So these later reports can still be run from RDC based applications.  However, if the reports use any features that are new after CR 2008 (optional parameters, vertical alignment, etc) these won’t work unless you are using the .NET runtime.

And this is where we are today. The only runtime engine that supports all the features in the current versions of Crystal is the .NET engine.  There isn’t anything available in any recent version of Crystal that will work with legacy code from the other 4 integration methods.  If you have an application that uses one of these methods your choices are:

1) Stay with your legacy code and use an old version of Crystal to maintain the reports.
2) Rewrite your code using the .NET runtime engine.

Years ago I put out a guide for using the .NET engine in applications. Although it was written in 2003, the basic object model hasn’t changed significantly since then. It is free and you can download a copy – if you think it will help.

Security vulnerabilities in Crystal Reports web apps

Saturday 18 February 2017 @ 6:27 pm

A Crystal Reports web development team has posted in the SAP forums about some security weaknesses in the .NET web deployment model. They are trying to get the attention of SAP, without success so far.

It appears that this team deployed a .NET web application using the Crytal Reports runtime engine. During a security audit they uncovered some serious vulnerabilities. It appears that they weren’t able to get the SAP support team to look at the problem because they do not have a support subscription, so they posted it to the forum as three question. From what I have read they are trying to walk the line between highlighting the seriousness of specific vulnerabilities, while not making these same vulnerabilities easier to exploit.

Those of you who do .NET web development might want to check out the following links (some of which appear to have been deleted as of 3/6).

Link 1 (131436) (deleted)
Link 2 (130250) (deleted)
Link 3 (133449)

And thanks to Ido Millet of Millet Software for pointing these posts out to me.

Prior versions, service packs, runtime and merge modules

Tuesday 12 August 2014 @ 11:17 am

I had to track down some older versions of Crystal Reports along with service packs and runtime modules. I found some useful links and want to put them all in one place so that I don’t have to hunt them down again.  Others might find this useful so I have posted them below.

Of course, the problem with pages like these is that they don’t age well. These links will probably expire or change. Some of the downloads will go away as SAP stops supporting the older versions. So that is why some of the links below are redundant. If you find that a link has expired, please let me know.

Version downloads and service packs (SAP)

Version downloads and service packs

CR XI downloads and service packs

Code Search Pro 2014

Thursday 7 August 2014 @ 1:14 pm

Find It EZ has just released version 14 of their code search software. It is now called Code Search Pro Desktop 2014. The new features for Crystal users include the ability to go through a batch of reports and:

  • Verify the database
  • Change the data source
  • Set the table alias names
  • Create a database cross reference report

Also, the tool now creates an index of scanned documents which makes searches faster.  And it is certified to support  SQL Server 2014, Oracle 12c, MySQL 5.7 and DB2 10.5.  See the Find It EZ website for a free 14-day trial.  Or you can use the new option of Code Search Pro in a Saas model.  This allows you to use it fully for 90 days, with unlimited support, for $99.

Automatically fill in “Overridden Qualified Table Names”

Monday 7 July 2014 @ 10:55 pm

This post will only be useful for developers who create reports that need to be launched from an application. I have written before about property called “Overriden Qualified Table Names” or OQTN. Filling in this property makes it easier to point the report to a different connection at runtime. The OQTN property starts out empty for each table. To use it you go into the properties of a table in “Set Datasource Location” and enter that table’s name into the OQTN property. You have to do this for each table, view or stored procedure in the report. It surprises me that this property isn’t filled in automatically at the time the table is added, like the table alias property.

A few months back a user contacted me because Continue Reading »
Automatically fill in “Overridden Qualified Table Names”

Source Code for RPT management software for sale

Saturday 14 June 2014 @ 10:27 pm

Cortex systems has two software packages that allow you to manage your RPT files. They are:

Report Analyzer – Allows you to search, cross-reference and document your reports
Object Compare – Finds all the differences between two objects, including RPT files and several other object types.

The developers at Cortex are changing their focus and are interested in selling the source code and IP for these two products. Anyone interested in finding out more can Email

Limitations in the Crystal Reports .NET runtime

Friday 29 November 2013 @ 10:36 am

I am not sure how many of you will have use for this info, but I have one customer who ran into an unknown limitation in the Crystal Reports API (.NET). He was using FindItEZ to track changes in a very large and complex report. The report had one section divided into over 400 subsections and certain subsections weren’t being identified correctly. Instead they were repeating as “phantom” duplicates. So the team at FindItEZ did some testing and Ken Gnazdowsky reported what they considered a bug in the .NET API.

But, after some discussions with SAP they were told that the .NET API can only keep track of 104 subsections in any one of the 7 major sections:

Report Header/Report Footer
Group Header/Footer
Page Header/Page Footer

So if you go past 104 in any one section (past subsection label ‘cz’) then the API loses the Continue Reading »
Limitations in the Crystal Reports .NET runtime

CR Server vs the CR Runtime Engine

Tuesday 15 October 2013 @ 9:17 am

I read a forum thread where users were comparing the different web deployment options for Crystal Reports. One post, by Blair Wheadon of SAP, gave a good comparison of the two different CR engines.  He compares the one that supports CR Server/BO Enterprise with the CR runtime engine that supports home grown and third party web applications. He has given me permission to post it here:

Its important to understand the differences between SAP Crystal Server, and other server reporting products based on our runtime engine.

Our runtime engine is designed and licensed to add reporting to server applications. It is a lightweight, embeddable component engine without any security or scheduling built it. It is limited to processing a maximum of 3 simultaneous report requests. It is designed to run within the web server itself. Server products like those sold by Reportal and Christian Steven depend on this limited runtime engine, and add their own scheduling functionality.

SAP Crystal Server however is the same technology used by our high-end SAP BusinessObjects Business Intelligence product, with some limitations that allow us to price it very aggressively. It includes support for Xcelsius dashboarding, the new Explorer tool for casual BI users, Sharepoint and Office integration, Active Directory and LDAP security integration, scheduling, and new Enterprise-class features to reduce the cost of ownership like lifecycle management (for promoting reports between test, development, and production), auditing, and monitoring to ensure uptime.

Unlike the limited runtime engine, the SAP Crystal Server report engine uses all the server resources available, including page-level caching, and unlimited threads to effectively manage load. Plus it now includes entry-level BI functionality like dashboard support, the Explorer tool for casual BI use cases, and support for 64-bit servers.

The major limitations are: limited to a single server, no support for ERP integration (like SAP integration or Oracle integration), mobile support available only as an add-on, and it does not include Web Intelligence. None of these limitation are material to customers looking for a simple reporting server.

It does not use CPU licensing, so you can throw as many CPUs at your reporting problem as you want (as long as you’re on a single server) , and deploy to either virtual or physical servers without any licensing impact.


Reduced fonts when exporting to PDF

Wednesday 25 September 2013 @ 12:12 pm

I thought I had written about this before, but apparently I have only mentioned this in forums and never on my own blog. When you export a Crystal Report to PDF, by default Crystal will reduce the fonts by around 5%. Most people don’t notice this, but in some situations this causes problems. The solution requires that you go into the registry and add some keys. Finding where to make the change and what the change should be is a bit tricky because there is an older method and a new improved method.

The older method requires Continue Reading »
Reduced fonts when exporting to PDF

«« Previous Posts

Recrystallize Pro