---

What is Oracle Application Express?

Oracle Application Express (Oracle APEX) is a rapid web application development tool for the Oracle database. Using only a web browser and limited programming experience, you can develop and deploy professional applications that are both fast and secure. Oracle APEX is a fully supported, no cost option of the Oracle database.

Oracle Application Express (Oracle APEX, previously named Oracle HTML DB) is a software development environment based on the Oracle database.^[1] It allows a fast development cycle to be achieved to create web based applications. It can be used for departmental-style applications with a dozen users, but can also scale up to handle thousands of users. The framework itself adds as little as 0.04 second of overhead to each page request;^[2] how well an application scales is primarily based on the efficiency of the SQL queries used by the application developer.

Contents 1 Releases 2 Background 3 Advantages 4 Disadvantages 5 APEX Security 6 See also 7 References 8 Bibliography 9 External links

Releases

Oracle Application Express can be installed in an Oracle 9.2 or higher database, and starting from Oracle 11g it will be preinstalled along with the database. APEX 4.0 and higher can be installed on an Oracle 10.2.0.3 or higher database.

In January 2006 Oracle renamed HTML DB to "Oracle Application Express". Version 2.1 of APEX was bundled with the free Oracle Express Edition (XE) database.

In 2007 Oracle released APEX 3.0. This third major version features several new features, notably PDF Printing and Flash charting. APEX 3.0.1 was released in July 2007, and this version can also be installed into an Oracle XE database.

In Spring 2008 Oracle released APEX 3.1. This included a new major feature known as Interactive Reporting, which enables end-users to extensively customize a report without programmer intervention, using techniques such as filtering, sorting, group-by, choosing displayed columns, etc. The user can even save multiple versions of their customized reports. The programmer can limit which features are enabled. With this power comes a loss of programmer control over the layout of the report.

APEX 4.0 became available in June 2010. Some notable features are declarative Dynamic Actions (which allow reacting to changes on a page without the developer having to write custom Javascript) and Plugins (which allow developers to create custom components such as items, regions and processes, that can be re-used across pages and applications).

Apex 4.1 was released in August 2011. Notable new features included improved (customized) error handling, use of ROWID for updates, a data upload feature for end-users, and improved WebSheets (a hybrid of a spreadsheet and a Wiki, built using Apex itself).

Background

Historically speaking, Application Express has gone through many name changes since its inception in 2000. A reasonably complete history of the names includes:

• Flows
• Oracle Platform
• Project Marvel
• HTML DB
• Application Express (APEX)

One popular misconception is that Application Express is a new version of Web DB. Mike Hichwa created Web DB, a successful web front-end for Oracle, but the development of Web DB started to move in a direction that diverged from Mike's vision. When tasked with building an internal web calendar, Mike enlisted the help of Joel Kallman and started "Flows". They co-developed the Web Calendar and Flows, adding features to Flows as they needed them to develop the calendar. In the earliest days of Flows, there was no front-end for it, so all changes to an application were made in SQL*Plus via inserts, updates and deletes. In some ways APEX is an evolution of Web DB, but it was developed with new code and no upgrade path.

A popular application developed in Application Express is the AskTom application developed by Thomas Kyte. Oracle's Metalink support site had been running on APEX, but was replaced with a Flash version in September 2008.^[3] Oracle's online store also runs on APEX.

Advantages

• Fast development
• Web-based
• Developers familiar with PL/SQL can use the same skill set when developing Apex applications
• Easy to create mock-ups
• Easy to deploy (end user opens a URL to access an APEX application)
• Scalable (can be deployed to laptops, stand-alone servers, or Oracle RAC installations)
• Server-side processing and validations
• Strong and supportive user community (especially Oracle APEX forum)
• Basic support for group development
• Free hosting of demo applications provided by Oracle
• Apex applications can run on the free Oracle Express Edition (XE) database
• Individual components of an application can be retrieved or identified using SQL, facilitating customized reports

Disadvantages

• As an application framework, it can be difficult to customize an application outside of a set of expectations about how an APEX application is supposed to operate. However, given that pages are built from customizable templates, anything that is possible to achieve with HTML, CSS and Javascript is also theoretically possible to achieve with APEX, although it requires more work than using the built-in templates.
• Large installation size. The unzipped installation files for Apex 4.1 that includes 9 different languages for the "Application Builder" interface is 747 megabytes. The English-only version is 147 megabytes. Apex is installed on the database server; developers and users only need a web browser to build and use applications.
• Limited debugging facilities. The APEX framework logs page events in a database table and the log can be inspected by the developer. The developer can also add his own messages to the log during page rendering. Javascript must be debugged using standard development tools such as Firebug.
• Primary keys can be at most two separate fields. However since version 4.1 Application Express supports the use of ROWID for updates, inserts and deletes as an alternative to specifying primary keys. Prior to version 4.1 APEX assumed by default that all tables would use generated keys such as from sequences or triggers, therefore, if a table had more than two key columns then the default DML processes could not be used.
• Pages in APEX can display at most 100 items and forms cannot handle more than 100 database items. Compare this to the Oracle Database where tables can have up to 1000 columns. Pages must be designed to work around this limitation, for example by using multiple pages, tabular forms, or Ajax for on-demand updates.
• APEX applications are created using Oracle's own tools and only can be hosted in an Oracle database, making an implementer susceptible to vendor lock-in.
• Very few webhosts offer APEX (Oracle Database) on their hosting service package (most of them offer PHP + MySQL or ASP + Microsoft SQL Server). As a result, APEX applications are limited in their choice of webhosts.

APEX Security

There is a common misconception that the abstracted nature of APEX applications results in a relatively secure user environment. However, APEX applications suffer from the same classes of application security flaws as other web applications based on more direct technologies such as PHP, ASP.net and Java.

The main classes of vulnerability that affect APEX applications are: SQL injection, Cross-site scripting (XSS), and Access Control.

APEX applications inherently use PL/SQL constructs as the base server-side language. As well as accessing data via PL/SQL blocks, an APEX application will use PL/SQL to implement authorization, and to conditionally display web page elements. This means that generally APEX applications suffer from SQL injection when these PL/SQL blocks do not correctly validate and handle malicious user input. Oracle implemented a special variable type for APEX called Substitution Variables (with a syntax of &NAME.) and these are not safe and lead to SQL Injection. Where the injection occurs within a PL/SQL block an attacker can inject an arbitrary number of queries or statements to execute.

Cross-Site Scripting vulnerabilities arise in APEX applications just like other web application languages. Oracle provide the htf.escape_sc() function to escape user data that is displayed within a rendered HTML response. The reports that APEX generates also provide protection against XSS through the Display As setting on report columns. Originally the default was for reports to be created without any escaping of the columns, although recent versions now set the column type to escape by default. Column definitions can be queried programmatically to check for columns that do not escape the value.

To control access to resources within an APEX application a developer can assign authorization schemes to resources (such as pages and items). These must be applied consistently in order to ensure that resources are appropriately protected. A typical example of inconsistent access-control being applied is where an authorization scheme is set for a Button item, but not the associated Process that is performed when the button is clicked. A malicious user can perform the process (through JavaScript) without requiring the actual Button to be accessible.

Since APEX 4.0, the Application Builder interface provides some limited assessment of the security posture through the Advisor utility.

See also

• Oracle SQL Developer
• Oracle Database

References

1. ^ http://www.oracle.com/database/index.html
2. ^ Oracle Application Express Best Practices
   , Oracle, January 2006, p. 17
3. ^ Introducing My Oracle Support

Bibliography

External links

• Official website
• sourceforge website for Oracle Application Express
• Oracle Application Express Examples
• Oracle Application Express Plugins build by the developer community