Oracle Application Express

Oracle APEX

Developer(s)	Oracle Corporation
Stable release	24.2 / January 15, 2025 (2025-01-15)
Operating system	Windows, Linux, Oracle Solaris, HP-UX, IBM AIX [1]
License	Oracle Technical Network License (proprietary [2] )
Website	apex.oracle.com

Oracle APEX (Oracle Application Express) is a low-code application development platform developed by Oracle Corporation. APEX is used for developing and deploying cloud, mobile and desktop applications. It has a web-based integrated development environment (IDE) that includes tools such as wizards, drag-and-drop layout builders, and property editors.

Background

APEX is a feature of the Oracle Database. It is a part of the Oracle Cloud within the Autonomous Database Cloud Services and the stand-alone APEX Application Development service. ^[3]

Oracle APEX has had name changes since its creation in 2000, including:

• Flows ^[4]
• Oracle Platform ^[5]
• Project Marvel ^[6]
• HTML DB ^[7]
• Application Express (APEX) aka Oracle APEX ^[7]

History

APEX was created by Oracle developer Michael Hichwa following his earlier project, WebDB. While building an internal web calendar, Hichwa collaborated with fellow Oracle employee Joel Kallman to develop Flows. Together, they co-developed the web calendar, adding features to Flows as they needed them to develop the calendar. Early builds of Flows had no front-end, so all changes to an application were made in SQL Plus via insert, update and delete commands. ^[8]

With version 5.2, the numbering system was changed to align with the year and quarter of the release, renaming it to 18.1. This change is consistent with Oracle's change in numbering nomenclature.

Low-code environment

Oracle APEX is a low-code development platform, a type of environment that can trace their origins to fourth-generation programming languages and rapid application development (RAD) tools.

APEX allows users to build web applications with a "no code" graphical user interface. However, when the requirements are more complex, APEX allows the extension of the low-code objects through a declarative framework. This framework lets the developer define custom logic, business rules, and user interfaces. The developer can do this through the inclusion of SQL, PL/SQL, HTML, JavaScript, or CSS as well as APEX plug-ins. ^{[9] [10]}

Security

APEX applications are subject to the same level of application security risks as other web-based applications built on more direct technologies such as PHP, ASP.NET and Java. However, since APEX 4.0, the Application Builder interface has included a utility called Advisor, which provides a basic assessment of an application’s security posture.

The two main vulnerabilities that affect APEX applications are SQL injection and cross-site scripting (XSS). ^[11]

SQL Injection

APEX applications inherently use PL/SQL constructs as the base server-side language and access data via PL/SQL blocks. ^[12] An APEX application will use PL/SQL to implement authorization and to conditionally display web page elements. Because of this, APEX applications can suffer from an SQL injection when these PL/SQL blocks do not correctly validate and handle malicious user input. ^[13]

Oracle implemented a special variable type for APEX called Substitution Variables (with a syntax of "&NAME."); however, these are insecure and can lead to SQL injections. When an injection occurs within a PL/SQL block, an attacker can inject an arbitrary number of queries or statements to execute. Escaping special characters and using bind variables can reduce, but not remove, XSS and SQL injection vulnerabilities.

Cross-Site Scripting (XSS)

XSS vulnerabilities arise in APEX applications just like in other web application languages. To counteract this, Oracle provides the htf.escape_sc() function to replace literal characters with HTML entity names and avoid undesired behaviors. ^[14]

A developer can use authorization schemes to manage access to resources like pages and items within an APEX application. To ensure proper security, these schemes must be consistently applied across all relevant resources. An example of inconsistent access control arises when an authorization scheme is applied to a button item but not to the process linked to that button. This inconsistency could allow a user to trigger the process directly via JavaScript, bypassing the button entirely.

Third-party libraries

Developers may improve and extend APEX applications by using third-party libraries. Among them are JQuery Mobile (HTML 5-based user interface), ^[15] JQuery UI (user interface for the web), ^[16] AnyChart (JavaScript/HTML 5 charts), ^[17] CKEditor (web text editor), ^[18] and others. Oracle claims that applying the latest APEX patches ensures that the external libraries bundled with the platform are updated in tandem, which theoretically enhances application stability and security. ^[19] However, many of the libraries are updated more frequently than APEX patches are released, requiring developers to monitor and manually apply updates as necessary to maintain compatibility and security. ^{[20] [21]}

APEX and Oracle Database Express Edition (XE)

Oracle APEX can be run inside Oracle Database Express Edition (XE), a free entry-level database. Although the functionality of APEX isn't intentionally limited when running on XE, the limitations of the database engine may prevent some APEX features from functioning. Furthermore, Oracle XE has limits for CPU, memory, and disk usage. ^[22]

See also

• Oracle SQL Developer
• Jam.py

References

1. "Oracle Application Express - Downloads". Oracle. Retrieved December 10, 2015.
2. "Oracle Application Express Documentation". Oracle Help Center.
3. "Oracle Application Express (APEX): Overview" (PDF). Oracle Corporation .
4. "Welcome to Flows for APEX". apex-flowsforapex. Archived from the original on September 24, 2021. Retrieved September 24, 2021.
5. "Implementing Oracle API Platform Cloud Service". Packt. Retrieved September 24, 2021.
6. "how i get benefit from project marble". forums.oracle.com. September 17, 2002.
7. "Appendix: Oracle APEX". docs.oracle.com. Retrieved January 26, 2025.
8. "Michael Hichwa". Apress. Michael Hichwa is the original developer and architect of Oracle Application Express (APEX), aka HTML DB. Michael created APEX as a 100% rewrite of an earlier browser-based application development tool he also created, called Oracle WebDB. He had invaluable technical assistance and guidance from Tom Kyte and the addition of Joel Kallman as a co-developer. Michael and Joel have led APEX development efforts since 1999
9. Kallman, Joel. "From Low Code to High Control" . Retrieved November 27, 2017.
10. "Low Code with Oracle Application Express". apex.oracle.com. Retrieved November 27, 2017.
11. "Securing Vulnerability Exploits with Apex – Part 3". content.dsp.co.uk. Retrieved October 8, 2024.
12. Alpern, D.; Agrawal, S.; Baer, H.; Castledine, S.; Chang, T.; Cheng, B.; Dani, R.; Decker, R.; Iyer, C. "Overview of PL/SQL". Oracle Help Center. Retrieved January 24, 2025.
13. "Using Oracle APEX". enterprisearchitecture.harvard.edu. Retrieved January 24, 2025.
14. "Fusion Middleware PL/SQL Web Toolkit Reference". docs.oracle.com. Retrieved October 8, 2024.
15. "Building a Mobile Web Application Using Oracle Application Express 5.0". Oracle.
16. "Application Express Application Builder User's Guide". Oracle.
17. "Oracle APEX: Using AnyChart products with Oracle Application Express (APEX)". AnyChart.
18. "Oracle chooses FCKeditor for Application Express". CKEditor.com.
19. "Oracle Application Express (APEX) Patches". Oracle Base. Retrieved December 30, 2024.
20. "Goodies - APEX 4.2.2 included Libraries". Dimitri Gielis Blog. May 8, 2013. Retrieved December 10, 2015.
21. "APEX 5 first peek". Grassroots Oracle. March 17, 2014. Retrieved December 10, 2015.
22. "Limitations of the Express Edition". Oracle Corporation. Retrieved May 22, 2013.

Bibliography

• Beckmann, Ralf (October 1, 2013), Oracle Application Express in der Praxis: Mit APEX datenbankbasierte Webanwendungen entwickeln (1st ed.), Carl Hanser Verlag, p. 416, ISBN   978-3446438965
• Cimolini, Patrick (September 12, 2011), Agile Oracle Application Express (1st ed.), Apress, p. 200, ISBN   978-1-4302-3759-4
• Mattamal, Raj; Nielsen, Anton (July 28, 2011), Expert Oracle Application Express Plugins: Building Reusable Components (1st ed.), Apress, p. 300, ISBN   978-1-4302-3503-3
• Fox, Tim; Scott, John; Spendolini, Scott (June 29, 2011), Pro Oracle Application Express 4 (2 ed.), Apress, p. 700, ISBN   978-1-4302-3494-4
• Zehoo, Edmund (June 15, 2011), Oracle Application Express 4 Recipes (1st ed.), Apress, p. 300, ISBN   978-1-4302-3506-4
• Lancaster, Mark (May 28, 2011), Oracle Application Express 4.0 with Ext JS (1st ed.), Packt Publishing, p. 392, ISBN   978-1-84968-106-3
• Aust, Dietmar; D'Souza, Martin Giffy; Gault, Doug; Gielis, Dimitri; Hartman, Roel; Hichwa, Michael; Kennedy, Sharon; Kubicek, Denes; Mattamal, Raj; McGhan, Dan; Mignault, Francis; Nielsen, Anton; Scott, John (May 16, 2011), Expert Oracle Application Express (1st ed.), Apress, p. 500, ISBN   978-1-4302-3512-5
• Gault, Doug; Cannell, Karen; Cimolini, Patrick; D'Souza, Martin Giffy; Hilaire, Timothy St. (March 31, 2011), Beginning Oracle Application Express 4 (1st ed.), Apress, p. 440, ISBN   978-1-84968-134-6
• van Zoest, M.; van der Plas, Marcel (December 14, 2010), Oracle APEX 4.0 Cookbook (1st ed.), Packt Publishing, p. 328, ISBN   978-1-4302-3147-9
• Geller, Arie; Lyon, Matthew (June 1, 2010), Oracle Application Express 3.2 – The Essentials and More (1st ed.), Packt Publishing, p. 520, ISBN   978-1-84719-452-7
• van den Bos, Douwe Pieter (July 29, 2009), Oracle Application Express Forms Converter (1st ed.), Packt Publishing, p. 172, ISBN   978-1-84719-776-4
• Greenwald, Rick (December 22, 2008), Beginning Oracle Application Express (1st ed.), Wrox, p. 384, ISBN   978-0-470-38837-2
• Scott, John; Spendolini, Scott (September 16, 2008), Pro Oracle Application Express (1st ed.), Apress, p.  700, ISBN   978-1-59059-827-6

External links

• Official website