Oracle Application Express

Oracle Application Express

Developer(s)	Oracle Corporation
Stable release	4.1 / August 24, 2011; 5 months ago (2011-08-24)
Operating system	Linux and Windows
Type	Oracle database development environment
License	Oracle Technical Network License (Proprietary)
Website	http://apex.oracle.com

Oracle Application Express (Oracle APEX, previously named Oracle HTML DB) is a software development environment based on the Oracle database.^[1] It allows a fast development cycle to be achieved to create web based applications. It can be used for departmental-style applications with a dozen users, but can also scale up to handle thousands of users. The framework itself adds as little as 0.04 second of overhead to each page request;^[2] how well an application scales is primarily based on the efficiency of the SQL queries used by the application developer.

1 Background
2 Functions and Uses
3 Disadvantages
4 APEX Security
5 See also
6 References
7 Bibliography
8 External links

Background

Oracle Application Express can be installed in an Oracle 9.2 or higher database, and starting from Oracle 11g it will be preinstalled along with the database. APEX 4.0 and higher can be installed on an Oracle 10.2.0.3 or higher database.

In January 2006 Oracle renamed HTML DB to "Oracle Application Express". Version 2.1 of APEX was bundled with the free Oracle Express Edition (XE) database.

In 2007 Oracle released APEX 3.0. This third major version features several new features, notably PDF Printing and Flash charting. APEX 3.0.1 was released in July 2007, and this version can also be installed into an Oracle XE database.

In Spring 2008 Oracle released APEX 3.1. This included a new major feature known as Interactive Reporting, which enables end-users to extensively customize a report without programmer intervention, using techniques such as filtering, sorting, group-by, choosing displayed columns, etc. The user can even save multiple versions of their customized reports. The programmer can limit which features are enabled. With this power comes a loss of programmer control over the layout of the report.

APEX 4.0 became available in June 2010. Some notable features are declarative dynamic actions which allow reacting to changes on a page without the developer having to write the javascript and RESTful capabilities.

Historically speaking, Application Express has gone through many name changes since its inception in 2000. A reasonably complete history of the names includes:

Flows
Oracle Platform
Project Marvel
HTML DB
Application Express (APEX)

One popular misconception is that Application Express is a new version of Web DB. Mike Hichwa created Web DB, a successful web front-end for Oracle, but the development of Web DB started to move in a direction that diverged from Mike's vision. When tasked with building an internal web calendar, Mike enlisted the help of Joel Kallman and started "Flows". They co-developed the Web Calendar and Flows, adding features to Flows as they needed them to develop the calendar. In the earliest days of Flows, there was no front-end for it, so all changes to an application were made in SQL*Plus via inserts, updates and deletes. In some ways APEX is an evolution of Web DB, but it was developed with new code and no upgrade path.

A popular application developed in Application Express is the AskTom application developed by Thomas Kyte. Oracle's Metalink support site had been running on APEX, but was replaced with a Flash version in September 2008.^[3] Oracle's online store also runs on APEX.

Functions and Uses

Fast development
Web-based
Easy to create mock-ups
Easy to deploy (end user opens a URL to access an APEX application)
Scalable
Server-side processing and validations
Strong and supportive user community (especially Oracle APEX forum)
Basic support for group development
Free hosting of demo applications provided by Oracle
Individual components of an application can be retrieved or identified using SQL, facilitating customized reports

Disadvantages

Primary keys can be at most two separate fields. However since version 4.1 Application Express supports the use of ROWID for updates, inserts and deletes as an alternative to specifying primary keys. Prior to version 4.1 APEX assumed by default that all tables would use generated keys such as from sequences or triggers, therefore, if a table had more than two key columns then the default DML processes could not be used.
Pages in APEX can display at most 100 items and forms cannot handle more than 100 database items. Compare this to the Oracle Database where tables can have up to 1000 columns.
APEX applications are created using Oracle's own tools and only can be hosted in an Oracle database, making an implementer susceptible to vendor lock-in.
As an application framework, it can be difficult to customize an application outside of a set of expectations about how an APEX application is supposed to operate.
Large installation size (V4.1 is 747Mb)
Limited debugging facilities
Very few webhosts offer APEX (Oracle Database) on their hosting service package (most of them offer PHP + MySQL or ASP + Microsoft SQL Server). As a result, APEX applications are limited in their choice of webhosts.

APEX Security

There is a common misconception that the abstracted nature of APEX applications results in a relatively secure user environment. However, APEX applications suffer from the same classes of application security flaws as other web applications based on more direct technologies such as PHP, ASP.net and Java.

The main classes of vulnerability that affect APEX applications are: SQL injection, Cross-site scripting (XSS), and Access Control.

APEX applications inherently use PL/SQL constructs as the base server-side language. As well as accessing data via PL/SQL blocks, an APEX application will use PL/SQL to implement authorization, and to conditionally display web page elements. This means that generally APEX applications suffer from SQL injection when these PL/SQL blocks do not correctly validate and handle malicious user input. Oracle implemented a special variable type for APEX called Substitution Variables (with a syntax of &NAME.) and these are not safe and lead to SQL Injection. Where the injection occurs within a PL/SQL block an attacker can inject an arbitrary number of queries or statements to execute.

Cross-Site Scripting vulnerabilities arise in APEX applications just like other web application languages. Oracle provide the htf.escape_sc() function to escape user data that is displayed within a rendered HTML response. The reports that APEX generates also provide protection against XSS through the Display As setting on report columns. Originally the default was for reports to be created without any escaping of the columns, although recent versions now set the column type to escape by default. Column definitions can be queried programmatically to check for columns that do not escape the value.

To control access to resources within an APEX application a developer can assign authorization schemes to resources (such as pages and items). These must be applied consistently in order to ensure that resources are appropriately protected. A typical example of inconsistent access-control being applied is where an authorization scheme is set for a Button item, but not the associated Process that is performed when the button is clicked. A malicious user can perform the process (through JavaScript) without requiring the actual Button to be accessible.

Since APEX 4.0, the Application Builder interface provides some limited assessment of the security posture through the Advisor utility.

References

^ http://www.oracle.com/database/index.html
^ Oracle Application Express Best Practices, Oracle, January 2006, p. 17, http://www.oracle.com/technology/products/database/application_express/pdf/apex_best_practices.pdf
^ Introducing My Oracle Support

Bibliography

Williamson, Jason (January 22, 2012), Oracle Application Express: Fast Track to Modern Web Applications (1st ed.), McGraw-Hill Osborne Media, pp. 416, ISBN 0071663444
Cimolini, Patrick (September 12, 2011), Agile Oracle Application Express (1st ed.), Apress, pp. 200, ISBN 1430237597, http://www.apress.com/9781430237594
Mattamal, Raj; Nielsen, Anton (July 28, 2011), Expert Oracle Application Express Plugins: Building Reusable Components (1st ed.), Apress, pp. 300, ISBN 1430235039, http://www.apress.com/9781430235033

Fox, Tim; Scott, John; Spendolini, Scott (June 29, 2011), Pro Oracle Application Express 4 (2ed ed.), Apress, pp. 700, ISBN 1430234946, http://www.apress.com/9781430234944
Zehoo, Edmund (June 15, 2011), Oracle Application Express 4 Recipes (1st ed.), Apress, pp. 300, ISBN 1430235063, http://www.apress.com/9781430235064
Lancaster, Mark (May 28, 2011), Oracle Application Express 4.0 with Ext JS (1st ed.), Packt Publishing, pp. 392, ISBN 1849681066, https://www.packtpub.com/oracle-application-express-4-0-with-ext-js/book
Aust, Dietmar; D'Souza, Martin Giffy; Gault, Doug; Gielis, Dimitri; Hartman, Roel; Hichwa, Michael; Kennedy, Sharon; Kubicek, Denes et al. (May 16, 2011), Expert Oracle Application Express (1st ed.), Apress, pp. 500, ISBN 1430235128, http://www.apress.com/9781430235125
Gault, Doug; Cannell, Karen; Cimolini, Patrick; D'Souza, Martin Giffy; Hilaire, Timothy St. (March 31, 2011), Beginning Oracle Application Express 4 (1st ed.), Apress, pp. 440, ISBN 1849681341, http://www.apress.com/9781430231479
Zoest, M. van; der Pla, M. van (December 14, 2010), Oracle APEX 4.0 Cookbook (1st ed.), Packt Publishing, pp. 328, ISBN 1430231475, https://www.packtpub.com/oracle-apex-4-0-cookbook/book
Geller, Arie; Lyon, Matthew (June 1, 2010), Oracle Application Express 3.2 – The Essentials and More (1st ed.), Packt Publishing, pp. 520, ISBN 1847194524, http://www.packtpub.com/oracle-application-express-3-2/book
van den Bos, Douwe Pieter (July 29, 2009), Oracle Application Express Forms Converter (1st ed.), Packt Publishing, pp. 172, ISBN 1847197760, http://www.packtpub.com/oracle-application-express-forms-converter/book
Greenwald, Rick (December 22, 2008), Beginning Oracle Application Express (1st ed.), Wrox, pp. 384, ISBN 0470388374, http://eu.wiley.com/WileyCDA/WileyTitle/productCd-0470388374.html
Scott, John; Spendolini, Scott (September 16, 2008), Pro Oracle Application Express (1st ed.), Apress, pp. 700, ISBN 159059827X, http://www.apress.com/book/view/9781590598276

External links

Web application frameworks

ASP.NET	ASP.NET MVC ASP.NET Web Forms ASP.NET Dynamic Data BFC DotNetNuke MonoRail OpenRasta Umbraco

ColdFusion	ColdSpring Fusebox Mach-II Model-Glue onTap on Wheels

Common Lisp	CL-HTTP SymbolicWeb UnCommon Web Weblocks

C++	CppCMS Wt

Java	Apache Struts AppFuse Flexive GWT Grails Vaadin ItsNat JavaServer Faces Jspx Makumba OpenXava Play Eclipse RAP Reasonable Server Faces RIFE Seam Spring Stripes Tapestry WebWork Wicket ZK ICEfaces WaveMaker

JavaScript	Ample SDK Prototype JavaScript Framework Rico script.aculo.us SproutCore jQuery Dojo Toolkit

Perl	Catalyst Interchange Mason Maypole WebGUI Dancer

PHP	phpTransformer AppFlower CakePHP CodeIgniter Drupal e107 Horde Joomla! Lithium Midgard MODx Qcodo Seagull SilverStripe Symfony TYPO3 Xaraya Yii Zend Framework Zeta Components

Python	Django Flask Nevow TurboGears Plone Pyjamas Pylons web2py Zope Tornado

Ruby	Ruby on Rails Merb Sinatra Hobo Camping Nitro Ramaze

Smalltalk	AIDA/Web Seaside

Other languages	Application Express (PL/SQL) Fusebox (ColdFusion and PHP) HAppS (Haskell) Kepler (Lua) Lift (Scala) OpenACS (Tcl) SproutCore (JavaScript/Ruby) Yaws (Erlang)