Oracle Application Express

Last updated
Oracle Database Oracle Database.pdf
Oracle Database

Oracle APEX
Developer(s) Oracle Corporation
Stable release
24.1 / June 17, 2024 (2024-06-17)
Operating system Windows, Linux, Oracle Solaris, HP-UX, IBM AIX [1]
License Oracle Technical Network License (proprietary [2] )
Website apex.oracle.com

Oracle APEX (or APEX) is an enterprise low-code application development platform offered by Oracle Corporation. APEX is used for developing and deploying cloud, mobile and desktop applications. The platform provides a web-based integrated development environment (IDE) that includes tools such as wizards, drag-and-drop layouts and property editors aimed at simplifying the process of building applications and designing user interfaces.

Contents

Background

APEX is a feature of the Oracle Database and can theoretically be installed anywhere an Oracle database runs. APEX is also offered in Oracle Cloud through Autonomous Database Cloud Services and the stand-alone APEX Application Development service. [3]

Oracle APEX has had many name changes since its inception in 2000, including:

APEX was created by Michael Hichwa, an Oracle developer. Following developing his earlier project, WebDB, Hichwa began to diverge from his original vision. Although APEX shares some functionality with WebDB, it was developed entirely from scratch, and there is no direct upgrade path from WebDB to APEX. When tasked with building an internal web calendar, Hichwa employed Joel Kallman and began developing a project called Flows. Hichwa and Kallman also co-developed the web calendar, adding features to Flows as they needed them to develop the calendar. Early builds of Flows had no front-end, so all changes to an application had to be made in SQL Plus via inserts, updates and deletes. [8]

With version 5.2, the numbering was changed to 18.1, indicating the year and quarter of release. This change is associated with Oracle's new numbering nomenclature. The latest version of the Oracle APEX is 24.1 and was released on June 17, 2024. [9]

Low-code environment

Oracle APEX is a low-code development platform. These low-code environments can trace their origins to fourth-generation programming languages and rapid application development (RAD) tools. Since APEX was originally marketed as a RAD tool, this progression is a logical one. APEX allows users to build web applications with no code. When the requirements are more complex, APEX allows the extension of the low-code objects through a declarative framework. This framework lets the developer define custom logic, business rules, and user interfaces. The developer can do this through the inclusion of SQL, PL/SQL, HTML, JavaScript, or CSS as well as APEX plug-ins. APEX permits developers to go from no code to low-code to more code. [10] [11]

Security

The abstracted nature of APEX applications may make it seem like it results in a relatively secure user environment, however, APEX applications suffer from the same classes of application security flaws as other web applications based on more direct technologies such as PHP, ASP.NET and Java.

The two main classes of vulnerability that affect APEX applications are SQL injection and cross-site scripting (XSS). [12]

APEX applications inherently use PL/SQL constructs as the base server-side language and access data via PL/SQL blocks, an APEX application will use PL/SQL to implement authorization and to conditionally display web page elements. This means that generally APEX applications suffer from SQL injection when these PL/SQL blocks do not correctly validate and handle malicious user input. Oracle implemented a special variable type for APEX called Substitution Variables (with a syntax of "&NAME."); however, these are insecure and can lead to SQL injection. Where the injection occurs within a PL/SQL block, an attacker can inject an arbitrary number of queries or statements to execute; escaping special characters and using bind variables ensures the reduced likelihood of XSS and SQL injection vulnerabilities.

XSS vulnerabilities arise in APEX applications just like other web application languages. Oracle provides the htf.escape_sc() function to replace literal characters with HTML entity names and avoid undesired behaviors. [13]

A developer can assign authorization schemes to resources (such as pages and items) to control access to resources within an APEX application. These schemes must be applied consistently to ensure that resources are appropriately protected. A typical example of inconsistent access control is when an authorization scheme is set for a button item but not for the associated process performed when the button is clicked. A malicious user can then perform the process through JavaScript without needing the actual button to be accessible.

Since APEX 4.0, the Application Builder interface provides some limited security posture assessment through the Advisor utility.

Third-party libraries

Developers may improve and extend their APEX applications by using third-party libraries. Among them are JQuery Mobile (HTML 5-based user interface), [14] JQuery UI (user interface for the web), [15] AnyChart (JavaScript/HTML 5 charts), [16] CKEditor (web text editor), [17] and others. Experts[ who? ] say it's an advantage of applying the latest APEX patches that the external libraries that come with APEX carry an update, too.[ clarification needed ] However, many of the libraries are updated more frequently than APEX patches are released. [18] [19]

APEX and Oracle Database Express Edition (XE)

Oracle APEX can be run inside Oracle Database Express Edition (XE), a free entry-level database. Although the functionality of APEX isn't intentionally limited when running on XE, the limitations of the database engine may prevent some APEX features from functioning. Furthermore, Oracle XE has limits for CPU, memory, and disk usage. [20]

See also

Related Research Articles

<span class="mw-page-title-main">PostgreSQL</span> Free and open-source object relational database management system

PostgreSQL also known as Postgres, is a free and open-source relational database management system (RDBMS) emphasizing extensibility and SQL compliance. PostgreSQL features transactions with atomicity, consistency, isolation, durability (ACID) properties, automatically updatable views, materialized views, triggers, foreign keys, and stored procedures. It is supported on all major operating systems, including Windows, Linux, macOS, FreeBSD, and OpenBSD, and handles a range of workloads from single machines to data warehouses, data lakes, or web services with many concurrent users.

<span class="mw-page-title-main">Bluefish (software)</span> Free software text editor

Bluefish is a free and open-source software advanced source code editor with a variety of tools for programming and website development. It supports editing source code such as C, JavaScript, Java, PHP, Python, as well as markup languages such as HTML, YAML and XML. It is available for many platforms, including Linux, macOS, and Windows, and can be used via integration with GNOME or run as a stand-alone application. Designed as a compromise between plain text editors and full programming IDEs, Bluefish is lightweight, fast and easy to learn, while providing many IDE features. Bluefish was one of the first source code editors on the Linux desktop. It has been translated into 17 languages. The source code is available under the GNU General Public License.

<span class="mw-page-title-main">NetBeans</span> Integrated development environment software for software development

NetBeans is an integrated development environment (IDE) for Java. NetBeans allows applications to be developed from a set of modular software components called modules. NetBeans runs on Windows, macOS, Linux and Solaris. In addition to Java development, it has extensions for other languages like PHP, C, C++, HTML5, and JavaScript. Applications based on NetBeans, including the NetBeans IDE, can be extended by third party developers.

Cross-site scripting (XSS) is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. During the second half of 2007, XSSed documented 11,253 site-specific cross-site vulnerabilities, compared to 2,134 "traditional" vulnerabilities documented by Symantec. XSS effects vary in range from petty nuisance to significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner network.

Web development is the work involved in developing a website for the Internet or an intranet. Web development can range from developing a simple single static page of plain text to complex web applications, electronic businesses, and social network services. A more comprehensive list of tasks to which Web development commonly refers, may include Web engineering, Web design, Web content development, client liaison, client-side/server-side scripting, Web server and network security configuration, and e-commerce development.

<span class="mw-page-title-main">Microsoft WebMatrix</span>

Microsoft WebMatrix is a discontinued cloud-connected website builder and HTML editor for Windows, geared towards web development. WebMatrix enables developers to build websites using built-in templates or popular open-source applications, with full support for ASP.NET, PHP, Node.js and HTML5. Microsoft developed WebMatrix for the purpose of providing web developers with coding, customization, and publishing capabilities all in one place.

<span class="mw-page-title-main">JDeveloper</span> Integrated development environment

JDeveloper is a freeware IDE supplied by Oracle Corporation. It offers features for development in Java, XML, SQL and PL/SQL, HTML, JavaScript, BPEL and PHP. JDeveloper covers the full development lifecycle from design through coding, debugging, optimization and profiling to deploying.

Code injection is a computer security exploit where a program fails to correctly process external data, such as user input, causing it to interpret the data as executable commands. An attacker using this method "injects" code into the program while it is running. Successful exploitation of a code injection vulnerability can result in data breaches, access to restricted or critical computer systems, and the spread of malware.

In computing, a solution stack or software stack is a set of software subsystems or components needed to create a complete platform such that no additional software is needed to support applications. Applications are said to "run on" or "run on top of" the resulting platform.

<span class="mw-page-title-main">Django (web framework)</span> Python web framework

Django is a free and open-source, Python-based web framework that runs on a web server. It follows the model–template–views (MTV) architectural pattern. It is maintained by the Django Software Foundation (DSF), an independent organization established in the US as a 501(c)(3) non-profit.

<span class="mw-page-title-main">Catalyst (software)</span> Open-source web application framework

Catalyst is an open-source web application framework written in Perl. It closely follows the model–view–controller (MVC) architecture and supports a number of experimental web patterns. It is written using Moose, a modern object system for Perl. Its design is heavily inspired by frameworks such as Ruby on Rails, Maypole, and Spring.

SQL Plus is the most basic Oracle Database utility, with a basic command-line interface, commonly used by users, administrators, and programmers.

Oracle Spatial and Graph, formerly Oracle Spatial, is a free option component of the Oracle Database. The spatial features in Oracle Spatial and Graph aid users in managing geographic and location-data in a native type within an Oracle database, potentially supporting a wide range of applications — from automated mapping, facilities management, and geographic information systems (AM/FM/GIS), to wireless location services and location-enabled e-business. The graph features in Oracle Spatial and Graph include Oracle Network Data Model (NDM) graphs used in traditional network applications in major transportation, telcos, utilities and energy organizations and RDF semantic graphs used in social networks and social interactions and in linking disparate data sets to address requirements from the research, health sciences, finance, media and intelligence communities.

MooTools is a lightweight, object-oriented JavaScript framework. It is released under the free, open-source MIT License.

<span class="mw-page-title-main">Google App Engine</span> Cloud-based web application hosting service

Google App Engine is a cloud computing platform used as a service for developing and hosting web applications. Applications are sandboxed and run across multiple Google-managed servers. GAE supports automatic scaling for web applications, allocating more resources to the web application as the amount of requests increases. It was released as a preview in April 2008 and launched officially in September 2011.

<span class="mw-page-title-main">Oracle SQL Developer</span> Free SQL IDE from Oracle Corporation

Oracle SQL Developer is an Integrated development environment (IDE) for working with SQL in Oracle databases. Oracle Corporation provides this product free; it uses the Java Development Kit.

A hierarchical query is a type of SQL query that handles hierarchical model data. They are special cases of more general recursive fixpoint queries, which compute transitive closures.

Apache Cordova is a mobile application development framework created by Nitobi. Adobe Systems purchased Nitobi in 2011, rebranded it as PhoneGap, and later released an open-source version of the software called Apache Cordova. Apache Cordova enables software programmers to build hybrid web applications for mobile devices using CSS3, HTML5, and JavaScript, instead of relying on platform-specific APIs like those in Android, iOS, or Windows Phone. It enables the wrapping up of CSS, HTML, and JavaScript code depending on the platform of the device. It extends the features of HTML and JavaScript to work with the device. The resulting applications are hybrid, meaning that they are neither truly native mobile application nor purely Web-based. They are not native because all layout rendering is done via Web views instead of the platform's native UI framework. They are not Web apps because they are packaged as apps for distribution and have access to native device APIs. Mixing native and hybrid code snippets has been possible since version 1.9.

<span class="mw-page-title-main">Couchbase Server</span> Open-source NoSQL database

Couchbase Server, originally known as Membase, is a source-available, distributed multi-model NoSQL document-oriented database software package optimized for interactive applications. These applications may serve many concurrent users by creating, storing, retrieving, aggregating, manipulating and presenting data. In support of these kinds of application needs, Couchbase Server is designed to provide easy-to-scale key-value, or JSON document access, with low latency and high sustainability throughput. It is designed to be clustered from a single machine to very large-scale deployments spanning many machines.

PL/SQL is Oracle Corporation's procedural extension for SQL and the Oracle relational database. PL/SQL is available in Oracle Database, TimesTen in-memory database, and IBM Db2. Oracle Corporation usually extends PL/SQL functionality with each successive release of the Oracle Database.

References

  1. "Oracle Application Express - Downloads". Oracle. Retrieved December 10, 2015.
  2. "Oracle Application Express Documentation". Oracle Help Center.
  3. "Oracle Application Express (APEX): Overview" (PDF). Oracle Corporation .
  4. "Welcome to Flows for APEX". apex-flowsforapex. Retrieved September 24, 2021.
  5. "Implementing Oracle API Platform Cloud Service". Packt. Retrieved September 24, 2021.
  6. "1 What is Oracle HTML DB?". docs.oracle.com. Archived from the original on September 24, 2021. Retrieved September 24, 2021.
  7. "Apex Developer | Limestone Digital". limestonedigital.com. September 3, 2021. Retrieved September 24, 2021.
  8. "Michael Hichwa". Apress. Michael Hichwa is the original developer and architect of Oracle Application Express (APEX), aka HTML DB. Michael created APEX as a 100% rewrite of an earlier browser-based application development tool he also created, called Oracle WebDB. He had invaluable technical assistance and guidance from Tom Kyte and the addition of Joel Kallman as a co-developer. Michael and Joel have led APEX development efforts since 1999
  9. "Oracle APEX Downloads". oracle.com. Retrieved March 20, 2024.
  10. Kallman, Joel. "From Low Code to High Control" . Retrieved November 27, 2017.
  11. "Low Code with Oracle Application Express". apex.oracle.com. Retrieved November 27, 2017.
  12. "Securing Vulnerability Exploits with Apex – Part 3". content.dsp.co.uk. Retrieved October 8, 2024.
  13. "Fusion Middleware PL/SQL Web Toolkit Reference". docs.oracle.com. Retrieved October 8, 2024.
  14. "Building a Mobile Web Application Using Oracle Application Express 5.0". Oracle.
  15. "Application Express Application Builder User's Guide". Oracle.
  16. "Oracle APEX: Using AnyChart products with Oracle Application Express (APEX)". AnyChart.
  17. "Oracle chooses FCKeditor for Application Express". CKEditor.com.
  18. "Goodies - APEX 4.2.2 included Libraries". Dimitri Gielis Blog. May 8, 2013. Retrieved December 10, 2015.
  19. "APEX 5 first peek". Grassroots Oracle. March 17, 2014. Retrieved December 10, 2015.
  20. "Limitations of the Express Edition". Oracle Corporation. Retrieved May 22, 2013.

Bibliography

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.