Editing Oracle Application Express

{{Short description|Web-based software development environment}}
{{Use mdy dates|date=February 2024}}
{{Infobox software
| name = Oracle APEX
| logo = Oracle logo.svg
| screenshot = 
| caption = 
| developer = [[Oracle Corporation]]
| latest release version = 24.2
| latest release date = {{start date|2025|01|15}}
| latest preview version = 
| latest preview date = 
| operating system = [[Microsoft Windows|Windows]], [[Linux]], Oracle Solaris, HP-UX, IBM AIX<ref name="oracle-downloads">{{cite web|url=http://www.oracle.com/technetwork/developer-tools/apex/downloads/index.html|title=Oracle Application Express - Downloads|publisher=Oracle|access-date=2015-12-10}}</ref>
| license = Oracle Technical Network License ([[Proprietary software|proprietary]]<ref>{{cite web|url=https://docs.oracle.com/cd/E59726_01/doc.50/e39143/toc.htm|title=Oracle Application Express Documentation|publisher=Oracle Help Center}}</ref>)
| website = {{URL|http://apex.oracle.com}}
}}
'''Oracle APEX''' (Oracle Application Express) is a [[Low-code development platform|low-code application development platform]] developed by [[Oracle Corporation]]. APEX is used for developing and deploying [[Cloud computing|cloud]], [[Mobile app|mobile]] and desktop [[Application software|applications]]. It has a web-based [[integrated development environment]] (IDE) that includes tools such as [[Wizard (software)|wizards]], [[drag-and-drop]] layout builders, and property editors.

==Background==
APEX is a feature of the [[Oracle Database]]. It is a part of the [[Oracle Cloud Platform|Oracle Cloud]] within the Autonomous Database Cloud Services and the stand-alone APEX Application Development service.<ref>{{Cite web|title=Oracle Application Express (APEX): Overview|url=https://www.oracle.com/technetwork/developer-tools/apex/overview/apex-overview-otn-4491378.pdf|website=[[Oracle Corporation]]}}</ref>

Oracle APEX has had name changes since its creation in 2000, including:
* Flows<ref>{{Cite web |title=Welcome to Flows for APEX |url=https://mt-ag.github.io/apex-flowsforapex/ |url-status=dead |access-date=2021-09-24 |website=apex-flowsforapex |language=en-US |archive-url=http://web.archive.org/web/20210924191941/https://mt-ag.github.io/apex-flowsforapex/ |archive-date=2021-09-24}}</ref>
* Oracle Platform<ref>{{Cite web|title=Implementing Oracle API Platform Cloud Service|url=https://www.packtpub.com/product/implementing-oracle-api-platform-cloud-service/9781788478656|access-date=2021-09-24|website=Packt|language=en}}</ref>
* Project Marvel<ref>{{Cite web |date=September 17, 2002 |title=how i get benefit from project marble |url=https://forums.oracle.com/ords/apexds/post/how-i-get-benefit-from-project-marvel-3246 |url-status=live |website=forums.oracle.com}}</ref>
* HTML DB<ref name=":0">{{Cite web |title=Appendix: Oracle APEX |url=https://docs.oracle.com/cd/E97588_01/siocs/pdf/180/html/siocs_implementation_guide/appendix_apex.htm |access-date=2025-01-26 |website=docs.oracle.com}}</ref>
* Application Express (APEX) aka Oracle APEX<ref name=":0" />

== History ==
APEX was created by Oracle developer Michael Hichwa following his earlier project, WebDB. While building an internal [[web calendar]], Hichwa collaborated with fellow Oracle employee Joel Kallman to develop Flows. Together, they co-developed the web calendar, adding features to Flows as they needed them to develop the calendar. Early builds of Flows had no front-end, so all changes to an application were made in [[SQL Plus]] via insert, update and delete commands.<ref>{{cite web|url=https://www.apress.com/index.php/author/author/view/id/3487|title=Michael Hichwa|publisher=[[Apress]]|quote=Michael Hichwa is the original developer and architect of Oracle Application Express (APEX), aka HTML DB. Michael created APEX as a 100% rewrite of an earlier browser-based application development tool he also created, called Oracle WebDB. He had invaluable technical assistance and guidance from Tom Kyte and the addition of Joel Kallman as a co-developer. Michael and Joel have led APEX development efforts since 1999}}</ref>

With version 5.2, the numbering system was changed to align with the year and quarter of the release, renaming it to 18.1. This change is consistent with Oracle's change in numbering nomenclature.

==Low-code environment==
Oracle APEX is a low-code development platform, a type of environment that can trace their origins to [[fourth-generation programming language]]s and [[rapid application development]] (RAD) tools.

APEX allows users to build [[web application]]s with a "[[No-code development platform|no code]]" graphical user interface. However, when the requirements are more complex, APEX allows the extension of the low-code objects through a declarative framework. This framework lets the developer define custom logic, business rules, and user interfaces. The developer can do this through the inclusion of [[SQL injection|SQL]], [[PL/SQL]], [[HTML]], [[JavaScript]], or [[CSS]] as well as APEX plug-ins.<ref>{{Cite news|url=https://blogs.oracle.com/oraclemagazine/from-low-code-to-high-control|title=From Low Code to High Control|last=Kallman|first=Joel|access-date=2017-11-27}}</ref><ref>{{Cite web|url=https://apex.oracle.com/lowcode/|title=Low Code with Oracle Application Express|website=apex.oracle.com|access-date=2017-11-27}}</ref>

==Security==
{{More citations needed|date=October 2024}}
APEX applications are subject to the same level of [[application security]] risks as other web-based applications built on more direct technologies such as [[PHP]], [[ASP.NET]] and [[Java (programming language)|Java]]. However, since APEX 4.0, the Application Builder interface has included a utility called Advisor, which provides a basic assessment of an application’s security posture.

The two main vulnerabilities that affect APEX applications are [[SQL injection]] and [[cross-site scripting|cross-site scripting (XSS)]].<ref>{{Cite web |title=Securing Vulnerability Exploits with Apex – Part 3 |url=https://content.dsp.co.uk/apex/securing-vulnerability-exploits-apex-part-3 |access-date=2024-10-08 |website=content.dsp.co.uk |language=en-gb}}</ref>

'''<big>SQL Injection</big>'''

APEX applications inherently use PL/SQL constructs as the base [[Client–server model|server-side]] language and access data via PL/SQL blocks.<ref>{{Cite web |last=Alpern |first=D. |last2=Agrawal |first2=S. |last3=Baer |first3=H. |last4=Castledine |first4=S. |last5=Chang |first5=T. |last6=Cheng |first6=B. |last7=Dani |first7=R. |last8=Decker |first8=R. |last9=Iyer |first9=C. |title=Overview of PL/SQL |url=https://docs.oracle.com/en/database/oracle/oracle-database/21/lnpls/overview.html#GUID-8E5695A2-F639-4480-9C61-0AE5CF0C16BC |access-date=2025-01-24 |website=Oracle Help Center |language=en-US}}</ref>  An APEX application will use PL/SQL to implement authorization and to conditionally display web page elements. Because of this, APEX applications can suffer from an SQL injection when these PL/SQL blocks do not correctly validate and handle [[Security hacker|malicious user]] input.<ref>{{Cite web |title=Using Oracle APEX |url=https://enterprisearchitecture.harvard.edu/using-oracle-apex |access-date=2025-01-24 |website=enterprisearchitecture.harvard.edu |language=en}}</ref>

Oracle implemented a special variable type for APEX called ''Substitution Variables'' (with a syntax of "&NAME."); however, these are insecure and can lead to SQL injections. When an injection occurs within a PL/SQL block, an attacker can inject an arbitrary number of queries or statements to execute.  Escaping special characters and using bind variables can reduce, but not remove, XSS and SQL injection vulnerabilities.

'''<big>Cross-Site Scripting (XSS)</big>'''

[[XSS]] vulnerabilities arise in APEX applications just like in other [[web application]] languages. To counteract this, Oracle provides the htf.escape_sc() function to replace literal characters with HTML entity names and avoid undesired behaviors.<ref>{{Cite web |title=Fusion Middleware PL/SQL Web Toolkit Reference |url=https://docs.oracle.com/cd/E28280_01/portal.1111/e12042/pshtp.htm |access-date=2024-10-08 |website=docs.oracle.com |language=en}}</ref>

A developer can use authorization schemes to manage access to resources like pages and items within an APEX application. To ensure proper security, these schemes must be consistently applied across all relevant resources. An example of inconsistent access control arises when an authorization scheme is applied to a button item but not to the process linked to that button. This inconsistency could allow a user to trigger the process directly via JavaScript, bypassing the button entirely.

==Third-party libraries==
Developers may improve and extend APEX applications by using third-party libraries. Among them are [[JQuery Mobile]] (HTML 5-based user interface),<ref>{{cite web|url=http://www.oracle.com/webfolder/technetwork/tutorials/obe/db/apex/r50/CreMobileApp_apex50EA/CreMobileApp_apex50EA.html|title=Building a Mobile Web Application Using Oracle Application Express 5.0|publisher=Oracle}}</ref> [[JQuery UI]] (user interface for the web),<ref>{{cite web|url=https://docs.oracle.com/database/121/HTMDB/app_comp001.htm#HTMDB29024|title=Application Express Application Builder User's Guide|publisher=Oracle}}</ref> [[AnyChart]] ([[JavaScript]]/[[HTML5|HTML 5]] charts),<ref>{{cite web|url=http://www.anychart.com/products/oracleapex/|title=Oracle APEX: Using AnyChart products with Oracle Application Express (APEX)|publisher=AnyChart}}</ref> [[CKEditor]] (web text editor),<ref>{{cite web|url=http://ckeditor.com/blog/Oracle-chooses-FCKeditor-for-Application-Express|title=Oracle chooses FCKeditor for Application Express|publisher=CKEditor.com}}</ref> and others. Oracle claims that applying the latest APEX patches ensures that the external libraries bundled with the platform are updated in tandem, which theoretically enhances application stability and security.<ref>{{cite web|url=https://oracle-base.com/articles/misc/oracle-application-express-apex-patches|title=Oracle Application Express (APEX) Patches|publisher=Oracle Base|access-date=2024-12-30}}</ref> However, many of the libraries are updated more frequently than APEX patches are released, requiring developers to monitor and manually apply updates as necessary to maintain compatibility and security.<ref>{{cite web|url=http://dgielis.blogspot.ru/2013/05/goodies-apex-422-included-libraries.html|title=Goodies - APEX 4.2.2 included Libraries|publisher=Dimitri Gielis Blog|date=May 8, 2013|access-date=December 10, 2015}}</ref><ref>{{cite web|url=http://www.grassroots-oracle.com/2014/03/apex-5-first-peek.html|title=APEX 5 first peek|publisher=Grassroots Oracle|date=March 17, 2014|access-date=December 10, 2015}}</ref>

==APEX and Oracle Database Express Edition (XE)==
[[Oracle Corporation|Oracle]] APEX can be run inside Oracle Database Express Edition (XE), a free entry-level database. Although the functionality of APEX isn't intentionally limited when running on XE, the limitations of the database engine may prevent some APEX features from functioning. Furthermore, Oracle XE has limits for [[Central processing unit|CPU]], memory, and disk usage.<ref name="Limitations of the Express Edition">{{cite web|title=Limitations of the Express Edition|url=http://docs.oracle.com/cd/E17781_01/install.112/e18803/toc.htm#BEIIIEDG|publisher=Oracle Corporation|access-date=May 22, 2013}}</ref>

==See also==
*[[Oracle SQL Developer]]
* [[Jam.py (web framework)|Jam.py]]

==References==
<references/>

==Bibliography==
{{Refbegin}}
*{{citation|first1 = Ralf|last1 = Beckmann|date = October 1, 2013|title = Oracle Application Express in der Praxis: Mit APEX datenbankbasierte Webanwendungen entwickeln|edition = 1st|publisher = [[Carl Hanser Verlag]]|page = 416|isbn = 978-3446438965|url = http://www.hanser-fachbuch.de/buch/Oracle+Application+Express+in+der+Praxis/9783446438965}}
*{{citation|first1 = Patrick|last1 = Cimolini|date = September 12, 2011|title = Agile Oracle Application Express|edition = 1st|publisher = [[Apress]]|page = 200|isbn = 978-1-4302-3759-4|url = http://www.apress.com/9781430237594}}
*{{citation|first1 = Raj|last1 = Mattamal|first2 = Anton|last2 = Nielsen|date = July 28, 2011|title = Expert Oracle Application Express Plugins: Building Reusable Components|edition = 1st|publisher = [[Apress]]|page = 300|isbn = 978-1-4302-3503-3|url = http://www.apress.com/9781430235033}}
*{{citation|first1 = Tim|last1 = Fox|first2 = John|last2 = Scott|first3 = Scott|last3 = Spendolini|date = June 29, 2011|title = Pro Oracle Application Express 4|edition = 2|publisher = [[Apress]]|page = 700|isbn = 978-1-4302-3494-4|url = http://www.apress.com/9781430234944}}
*{{citation|first1 = Edmund|last1 = Zehoo|date = June 15, 2011|title = Oracle Application Express 4 Recipes|edition = 1st|publisher = [[Apress]]|page = 300|isbn = 978-1-4302-3506-4|url = http://www.apress.com/9781430235064}}
*{{citation|first1 = Mark|last1 = Lancaster|date = May 28, 2011|title = Oracle Application Express 4.0 with Ext JS|edition = 1st|publisher = [[Packt Publishing]]|page = 392|isbn = 978-1-84968-106-3|url = https://www.packtpub.com/oracle-application-express-4-0-with-ext-js/book}}
*{{citation|first1 = Dietmar|last1 = Aust|first2 = Martin Giffy|last2 = D'Souza|first3 = Doug|last3 = Gault|first4 = Dimitri|last4 = Gielis|first5 = Roel|last5 = Hartman|first6 = Michael|last6 = Hichwa|first7 = Sharon|last7 = Kennedy|first8 = Denes|last8 = Kubicek|first9 = Raj|last9 = Mattamal|first10 = Dan|last10 = McGhan|first11 = Francis|last11 = Mignault|first12 = Anton|last12 = Nielsen|first13 = John|last13 = Scott|date = May 16, 2011|title = Expert Oracle Application Express|edition = 1st|publisher = [[Apress]]|page = 500|isbn = 978-1-4302-3512-5|url = http://www.apress.com/9781430235125}}
*{{citation|first1 = Doug|last1 = Gault|first2 = Karen|last2 = Cannell|first3 = Patrick|last3 = Cimolini|first4 = Martin Giffy|last4 = D'Souza|first5 = Timothy St.|last5 = Hilaire|date = March 31, 2011|title = Beginning Oracle Application Express 4|edition = 1st|publisher = [[Apress]]|page = 440|isbn = 978-1-84968-134-6|url = http://www.apress.com/9781430231479}}
*{{citation|first1 = M.|last1 = van Zoest|first2 = Marcel|last2 = van der Plas|date = December 14, 2010|title = Oracle APEX 4.0 Cookbook|edition = 1st|publisher = [[Packt Publishing]]|page = 328|isbn = 978-1-4302-3147-9|url = https://www.packtpub.com/oracle-apex-4-0-cookbook/book}}
*{{citation|first1 = Arie|last1 = Geller|first2 = Matthew|last2 = Lyon|date = June 1, 2010|title = Oracle Application Express 3.2 – The Essentials and More|edition = 1st|publisher = [[Packt Publishing]]|page = 520|isbn = 978-1-84719-452-7|url = http://www.packtpub.com/oracle-application-express-3-2/book}}
*{{citation|first1 = Douwe Pieter|last1 = van den Bos|date = July 29, 2009|title = Oracle Application Express Forms Converter|edition = 1st|publisher = [[Packt Publishing]]|page = 172|isbn = 978-1-84719-776-4|url = http://www.packtpub.com/oracle-application-express-forms-converter/book}}
*{{citation|first1 = Rick|last1 = Greenwald|date = December 22, 2008|title = Beginning Oracle Application Express|edition = 1st|publisher = [[Wrox Press|Wrox]]|page = 384|isbn = 978-0-470-38837-2|url = http://eu.wiley.com/WileyCDA/WileyTitle/productCd-0470388374.html}}
*{{citation|first1 = John|last1 = Scott|first2 = Scott|last2 = Spendolini|date = September 16, 2008|title = Pro Oracle Application Express|edition = 1st|publisher = [[Apress]]|page = [https://archive.org/details/prooracleapplica0000scot/page/700 700]|isbn = 978-1-59059-827-6|url = https://archive.org/details/prooracleapplica0000scot/page/700|url-access = registration}}
{{Refend}}

==External links==
*{{official website|http://apex.oracle.com/}}

{{Web frameworks}}
{{Oracle}}

[[Category:Oracle software]]
[[Category:Freeware]]
[[Category:2004 software]]
[[Category:Web frameworks]]