This article has multiple issues. Please help improve it or discuss these issues on the talk page . (Learn how and when to remove these template messages)
|
Developer(s) | Oracle Corporation |
---|---|
Stable release | 23.2 / November 14, 2023 |
Operating system | Windows, Linux, Oracle Solaris, HP-UX, IBM AIX [1] |
License | Oracle Technical Network License (proprietary [2] ) |
Website | apex |
Oracle APEX (also known as APEX) is an enterprise low-code application development platform from Oracle Corporation. APEX is used for developing and deploying cloud, mobile and desktop applications. The platform is a web-based integrated development environment (IDE) with a range of features including wizards, drag-and-drop layout and property editors to simplify the process of building applications and pages.
APEX is currently a fully-supported no-cost feature of the Oracle Database and can be installed anywhere Oracle Database runs. APEX is also offered on Oracle's Cloud across various services including Autonomous Database Cloud Services and the stand-alone fully managed APEX Application Development service. [3]
Oracle APEX has had many name changes since its inception in 2000, including:
APEX was created by Mike Hichwa a developer at Oracle, after the development of his previous project, WebDB, started to diverge from his original vision. Although APEX shares some functionality with Web DB, it was developed from scratch, and there's no upgrade path from Web DB to APEX. When tasked with building an internal web calendar, Hichwa enlisted the help of Joel Kallman and started development on a project called Flows. Hichwa and Kallman co-developed the Web Calendar and Flows, adding features to Flows as they needed them to develop the calendar. Early builds of Flow had no front-end, so all changes to an application had to be made in SQL*Plus via inserts, updates and deletes. [8]
APEX is extensively used internally by Oracle to develop its support sites.[ citation needed ] The AskTom knowledge base, online store, Dev Gym, and livesql run on APEX.[ citation needed ]
With version 5.2, the numbering was changed to 18.1, indicating the year and quarter of release. This change is associated with Oracle's new numbering nomenclature. The latest version of the Oracle APEX application is 23.2 and was released on November 14, 2023. [9]
While APEX has existed since 2004 in one form or another, it has recently[ when? ] been included in a new category of application development platforms called low-code. These low-code environments can trace their origins to 4GL programming languages and rapid application development (RAD) tools. [10] Since APEX was originally marketed as a RAD tool, this progression is a logical one. APEX allows building web applications with no-code. When the requirements are more complex, APEX allows the extension of the Low-Code objects through a declarative framework. This framework lets the developer define custom logic, business rule, and user interfaces. The developer can do this through the inclusion of SQL, PL/SQL, HTML, JavaScript, or CSS as well as APEX plug-ins. APEX permits developers to go from no-code to low-code to more code. [11] [12]
There is a common misconception[ vague ] that the abstracted nature of APEX applications results in a relatively secure user environment. However, APEX applications suffer from the same classes of application security flaws as other web applications based on more direct technologies such as PHP, ASP.net and Java.
The main classes of vulnerability that affect APEX applications are: SQL injection, Cross-site scripting (XSS), and Access Control.
APEX applications inherently use PL/SQL constructs as the base server-side language. As well as accessing data via PL/SQL blocks, an APEX application will use PL/SQL to implement authorization and to conditionally display web page elements. This means that generally APEX applications suffer from SQL injection when these PL/SQL blocks do not correctly validate and handle malicious user input. Oracle implemented a special variable type for APEX called Substitution Variables (with a syntax of &NAME) and these are not safe and lead to SQL Injection. Where the injection occurs within a PL/SQL block an attacker can inject an arbitrary number of queries or statements to execute. Escaping special characters and using bind variables is the right way to code to ensure no XSS and SQL injection.
Cross-Site Scripting vulnerabilities arise in APEX applications just like other web application languages. Oracle provides the htf.escape_sc() function to escape user data that is displayed within a rendered HTML response. The reports that APEX generates also provide protection against XSS through the Display As setting on report columns. Originally the default was for reports to be created without any escaping of the columns, although recent versions now set the column type to escape by default. Column definitions can be queried programmatically to check for columns that do not escape the value.
To control access to resources within an APEX application a developer can assign authorization schemes to resources (such as pages and items). These must be applied consistently in order to ensure that resources are appropriately protected. A typical example of inconsistent access-control being applied is where an authorization scheme is set for a Button item, but not the associated Process that is performed when the button is clicked. A malicious user can perform the process (through JavaScript) without requiring the actual Button to be accessible.
Since APEX 4.0, the Application Builder interface provides some limited assessment of the security posture through the Advisor utility.
Developers may improve and extend their APEX applications by using third-party libraries. Among them are jQuery Mobile (HTML5-based user interface), [13] JQuery UI (user interface for the web), [14] AnyChart (JavaScript/HTML5 charts), [15] CKEditor (web text editor) [16] and others. Experts[ who? ] say it is an advantage of applying the latest APEX patches that the external libraries that come with APEX carry an update, too.[ clarification needed ] However, many of the libraries come out with newer versions more frequently than there are APEX patches. [17] [18]
Oracle APEX can be run inside Oracle Database Express Edition (XE), a free entry-level database. Although the functionality of APEX isn't intentionally limited when running on XE, the limitations of the database engine may prevent some APEX features from functioning. Also, Oracle XE has limits for CPU, memory and disk usage. [19]
PostgreSQL, also known as Postgres, is a free and open-source relational database management system (RDBMS) emphasizing extensibility and SQL compliance. PostgreSQL features transactions with atomicity, consistency, isolation, durability (ACID) properties, automatically updatable views, materialized views, triggers, foreign keys, and stored procedures. It is supported on all major operating systems, including Linux, FreeBSD, OpenBSD, macOS, and Windows, and handles a range of workloads from single machines to data warehouses or web services with many concurrent users.
NetBeans is an integrated development environment (IDE) for Java. NetBeans allows applications to be developed from a set of modular software components called modules. NetBeans runs on Windows, macOS, Linux and Solaris. In addition to Java development, it has extensions for other languages like PHP, C, C++, HTML5, and JavaScript. Applications based on NetBeans, including the NetBeans IDE, can be extended by third party developers.
Web development is the work involved in developing a website for the Internet or an intranet. Web development can range from developing a simple single static page of plain text to complex web applications, electronic businesses, and social network services. A more comprehensive list of tasks to which Web development commonly refers, may include Web engineering, Web design, Web content development, client liaison, client-side/server-side scripting, Web server and network security configuration, and e-commerce development.
Microsoft WebMatrix is a discontinued cloud-connected website builder and HTML editor for Windows, geared towards web development. WebMatrix enables developers to build websites using built-in templates or popular open-source applications, with full support for ASP.NET, PHP, Node.js and HTML5. Microsoft developed WebMatrix for the purpose of providing web developers with coding, customization, and publishing capabilities all in one place.
JDeveloper is a freeware IDE supplied by Oracle Corporation. It offers features for development in Java, XML, SQL and PL/SQL, HTML, JavaScript, BPEL and PHP. JDeveloper covers the full development lifecycle from design through coding, debugging, optimization and profiling to deploying.
Code injection is the exploitation of a computer bug that is caused by processing invalid data. The injection is used by an attacker to introduce code into a vulnerable computer program and change the course of execution. The result of successful code injection can be disastrous, for example, by allowing computer viruses or computer worms to propagate.
In computing, a solution stack or software stack is a set of software subsystems or components needed to create a complete platform such that no additional software is needed to support applications. Applications are said to "run on" or "run on top of" the resulting platform.
Django is a free and open-source, Python-based web framework that runs on a web server. It follows the model–template–views (MTV) architectural pattern. It is maintained by the Django Software Foundation (DSF), an independent organization established in the US as a 501(c)(3) non-profit.
Catalyst is an open-source web application framework written in Perl. It closely follows the model–view–controller (MVC) architecture and supports a number of experimental web patterns. It is written using Moose, a modern object system for Perl. Its design is heavily inspired by frameworks such as Ruby on Rails, Maypole, and Spring.
SQL Plus is the most basic Oracle Database utility, with a basic command-line interface, commonly used by users, administrators, and programmers.
CakePHP is an open-source web framework. It follows the model–view–controller (MVC) approach and is written in PHP, modeled after the concepts of Ruby on Rails, and distributed under the MIT License.
Grails is an open source web application framework that uses the Apache Groovy programming language. It is intended to be a high-productivity framework by following the "coding by convention" paradigm, providing a stand-alone development environment and hiding much of the configuration detail from the developer.
Oracle Spatial and Graph, formerly Oracle Spatial, is a free option component of the Oracle Database. The spatial features in Oracle Spatial and Graph aid users in managing geographic and location-data in a native type within an Oracle database, potentially supporting a wide range of applications — from automated mapping, facilities management, and geographic information systems (AM/FM/GIS), to wireless location services and location-enabled e-business. The graph features in Oracle Spatial and Graph include Oracle Network Data Model (NDM) graphs used in traditional network applications in major transportation, telcos, utilities and energy organizations and RDF semantic graphs used in social networks and social interactions and in linking disparate data sets to address requirements from the research, health sciences, finance, media and intelligence communities.
JavaFX is a software platform for creating and delivering desktop applications, as well as rich web applications that can run across a wide variety of devices. JavaFX has support for desktop computers and web browsers on Microsoft Windows, Linux, and macOS, as well as mobile devices running iOS and Android, through Gluon Mobile.
Google App Engine is a cloud computing platform as a service for developing and hosting web applications in Google-managed data centers. Applications are sandboxed and run across multiple servers. App Engine supports automatic scaling for web applications allocating more resources to the web application for handling additional demand as the amount of requests increases for an application.
Oracle SQL Developer is an Integrated development environment (IDE) for working with SQL in Oracle databases. Oracle Corporation provides this product free; it uses the Java Development Kit.
Couchbase Server, originally known as Membase, is a source-available, distributed multi-model NoSQL document-oriented database software package optimized for interactive applications. These applications may serve many concurrent users by creating, storing, retrieving, aggregating, manipulating and presenting data. In support of these kinds of application needs, Couchbase Server is designed to provide easy-to-scale key-value, or JSON document access, with low latency and high sustainability throughput. It is designed to be clustered from a single machine to very large-scale deployments spanning many machines.
PL/SQL is Oracle Corporation's procedural extension for SQL and the Oracle relational database. PL/SQL is available in Oracle Database, Times Ten in-memory database, and IBM Db2. Oracle Corporation usually extends PL/SQL functionality with each successive release of the Oracle Database.
AnyChart is a JavaScript library for cross-platform data visualization in the form of interactive charts and dashboards. It was initially available as a Flash chart component and integrated as such by Oracle in APEX.
Microsoft Power Platform is a line of business intelligence, app development, and app connectivity software applications. Microsoft developed the Power Fx low-code programming language for expressing logic across the Power Platform. It also provides integrations with GitHub and Microsoft Teams among other apps.
Michael Hichwa is the original developer and architect of Oracle Application Express (APEX), aka HTML DB. Michael created APEX as a 100% rewrite of an earlier browser-based application development tool he also created, called Oracle WebDB. He had invaluable technical assistance and guidance from Tom Kyte and the addition of Joel Kallman as a co-developer. Michael and Joel have led APEX development efforts since 1999