Oracle Application Express

Oracle Application Express (Oracle APEX, previously named Oracle HTML DB) is a software development environment based on the Oracle database. It allows a fast development cycle to be achieved to create web based applications. It can be used for departmental-style applications with a dozen users, but can also scale up to handle thousands of users. The framework itself adds as little as 0.04 second of overhead to each page request; how well an application scales is primarily based on the efficiency of the SQL queries used by the application developer.

Application Express comes with many notable features - PDF Printing and Flash charting, Interactive Reporting, which enables end-users to extensively customize a report without programmer intervention, using techniques such as filtering, sorting, group-by, choosing displayed columns, etc. The user can even save multiple versions of their customized reports. The programmer can limit which features are enabled. With this power comes a loss of programmer control over the layout of the report.

It includes declarative Dynamic Actions (which allow reacting to changes on a page without the developer having to write custom Javascript) and Plugins (which allow developers to create custom components such as items, regions and processes, that can be re-used across pages and applications).

Advantages of Oracle Application Express
  • Fast development
  • Web-based
  • Developers familiar with PL/SQL can use the same skill set when developing Apex applications
  • Easy to create mock-ups
  • Easy to deploy (end user opens a URL to access an APEX application)
  • Strong and supportive user community (especially Oracle APEX forum)
  • Scalable (can be deployed to laptops, stand-alone servers, or Oracle RAC installations)
  • Server-side processing and validations
  • Basic support for group development
  • Apex applications can run on the free Oracle Express Edition (XE) database
  • Individual components of an application can be retrieved or identified using SQL, facilitating customized reports

Disadvantages of Oracle Application Express
  • As an application framework, it can be difficult to customize an application outside of a set of expectations about how an APEX application is supposed to operate. However, given that pages are built from customizable templates, anything that is possible to achieve with HTML, CSS and Javascript is also theoretically possible to achieve with APEX, although it requires more work than using the built-in templates.
  • Large installation size. Apex is installed on the database server; developers and users only need a web browser to build and use applications.
  • Limited debugging facilities. The APEX framework logs page events in a database table and the log can be inspected by the developer. The developer can also add his own messages to the log during page rendering. Javascript must be debugged using standard development tools such as Firebug.
  • Primary keys can be at most two separate fields.
  • Pages in APEX can display at most 100 items and forms cannot handle more than 100 database items. Compare this to the Oracle Database where tables can have up to 1000 columns. Pages must be designed to work around this limitation, for example by using multiple pages, tabular forms, or Ajax for on-demand updates.
  • APEX applications are created using Oracle's own tools and only can be hosted in an Oracle database, making an implementer susceptible to vendor lock-in.
  • Very few webhosts offer APEX (Oracle Database) on their hosting service package (most of them offer PHP + MySQL or ASP + Microsoft SQL Server). As a result, APEX applications are limited in their choice of webhosts.

APEX Security
There is a common misconception that the abstracted nature of APEX applications results in a relatively secure user environment. However, APEX applications suffer from the same classes of application security flaws as other web applications based on more direct technologies such as PHP, ASP.net and Java.

The main classes of vulnerability that affect APEX applications are: SQL injection, Cross-site scripting (XSS), and Access Control.

APEX applications inherently use PL/SQL constructs as the base server-side language. As well as accessing data via PL/SQL blocks, an APEX application will use PL/SQL to implement authorization, and to conditionally display web page elements. This means that generally APEX applications suffer from SQL injection when these PL/SQL blocks do not correctly validate and handle malicious user input. Oracle implemented a special variable type for APEX called Substitution Variables (with a syntax of &Name.) and these are not safe and lead to SQL Injection. Where the injection occurs within a PL/SQL block an attacker can inject an arbitrary number of queries or statements to execute

Cross-Site Scripting vulnerabilities arise in APEX applications just like other web application languages. Oracle provide the htf.escape_sc() function to escape user data that is displayed within a rendered HTML response. The reports that APEX generates also provide protection against XSS through the Display As setting on report columns. Originally the default was for reports to be created without any escaping of the columns, although recent versions now set the column type to escape by default. Column definitions can be queried programmatically to check for columns that do not escape the value.

To control access to resources within an APEX application a developer can assign authorization schemes to resources (such as pages and items). These must be applied consistently in order to ensure that resources are appropriately protected. A typical example of inconsistent access-control being applied is where an authorization scheme is set for a Button item, but not the associated Process that is performed when the button is clicked. A malicious user can perform the process (through JavaScript) without requiring the actual Button to be accessible.

Know More

we are Social geeks