Oracle Application Express

Oracle APEX (also known as APEX or Oracle Application Express) is an enterprise low-code development platform from Oracle Corporation that is used to develop and deploy web applications on Oracle databases. APEX provides a web-based integrated development environment (IDE) that uses wizards, drag-and-drop layout, and property editors to build applications and pages.

APEX intends to simplify the process of creating web applications that serve as a frontend to a database server, among other things.

APEX is a fully-supported no-cost feature of the Oracle Database and can be installed anywhere Oracle Database runs. APEX is also offered on Oracle's Cloud across various services including Autonomous Database Cloud Services and the stand-alone APEX Application Development service.

Releases

Oracle APEX can be installed on any Oracle database from version 9.2 or higher, and starting from Oracle 11g it is installed with the database by default. APEX 4.0 and higher can be installed on an Oracle 10.2.0.3 or higher database. APEX 5.0 and higher can be installed on all editions ( SE1, SE, and EE) of the Oracle database, 11.1.0.7 or higher with a valid Oracle Database Technical Support agreement; From APEX 18.1, the minimum database version is 11.2.0.4. It can also be used with Oracle Database 11g Express Edition (XE), but is supported through the Oracle Technology Network discussion forum, and not through Oracle Support Services.

Background

Oracle APEX has gone through many name changes since its inception in 2000. Names include:
* Flows
* Oracle Platform
* Project Marvel
* HTML DB
* Application Express (APEX) aka Oracle APEX

APEX was created by Mike Hichwa, a developer at Oracle, after the development of his previous project, Web DB, started to diverge from his original vision. Although APEX shares some functionality with Web DB, it was developed from scratch, and there's no upgrade path from Web DB to APEX. When tasked with building an internal web calendar, Hichwa enlisted the help of Joel Kallman and started development on a project called Flows. Hichwa and Kallman co-developed the Web Calendar and Flows, adding features to Flows as they needed them to develop the calendar. Early builds of Flow had no front-end, so all changes to an application had to be made in SQL*Plus via inserts, updates and deletes.

APEX is extensively used internally by Oracle to develop its support sites. The AskTom knowledge base, online store, Dev Gym, and livesql run on APEX.

Advantages and disadvantages

Advantages

* DBAs familiar with PL/SQL can use their skill set to develop web applications
* Easy to create mock-ups using pre-built themes
* Easy to deploy (end user opens a URL to access an APEX application)
* Scalable (can be deployed to laptops, stand-alone servers, or Oracle RAC installations)
* Server-side processing and validations
* Basic support for group development
* Free hosting of demo applications provided by Oracle
* APEX applications can run on the free Oracle Express Edition (XE) database
* Individual components of an application can be retrieved or identified using SQL, facilitating customized reports
* Easily adheres to the SQA development/test/production model (while not exposing DB passwords)
* Helps put the focus on the DB model supporting a solution (versus coding in Java, .NET or PHP - you only need JavaScript)
* Easily supports a standardized theme across application sets (and the changing of that theme)
*Easily integrates with different datasources such as local database, remote Oracle database, or any web service
* Semi-technical end users can build their own web pages and reports

Disadvantages

* APEX applications are created using Oracle's own tools and only can be hosted in an Oracle database, making an implementer susceptible to vendor lock-in.
* Very few webhosts offer APEX (Oracle Database) on their hosting service package (most of them offer PHP + MySQL or ASP + Microsoft SQL Server). As a result, APEX applications are limited in their choice of webhosts. However, since APEX can run on the free Express Edition of the Oracle database (Oracle XE), it is possible to install the required stack (database, APEX framework, and web gateway) on any standard operating system host (Linux or Windows).
* Projects requiring multiple developers to touch the same web page will need to communicate their intentions with each other. There is no built in version control and all components must be edited through the web interface. No support for merge two versions. Page locking can help guard against conflicts.

Low Code environment

While APEX has existed since 2004 in one form or another, it has recently been included in a new category of application development platforms called Low Code. These low-code environments can trace their origins to 4GL programming languages and rapid application development(RAD) tools. Since APEX was originally marketed as a RAD tool, this progression is a logical one. APEX allows the easy building of web applications with no code. Where the requirements are more complex, APEX allows the extension of the Low Code objects through a declarative framework. This framework lets the developer define custom logic and business rules as well as create an enhanced user interface. The developer can do this through the inclusion of SQL, PL/SQL, HTML, JavaScript, or CSS as well as APEX plug-ins. So APEX permits developers to go from no code to low code to more code.

Security

There is a common misconception that the abstracted nature of APEX applications results in a relatively secure user environment. However, APEX applications suffer from the same classes of application security flaws as other web applications based on more direct technologies such as PHP, ASP.net and Java.

The main classes of vulnerability that affect APEX applications are: SQL injection, Cross-site scripting (XSS), and Access Control.

APEX applications inherently use PL/SQL constructs as the base server-side language. As well as accessing data via PL/SQL blocks, an APEX application will use PL/SQL to implement authorization, and to conditionally display web page elements. This means that generally APEX applications suffer from SQL injection when these PL/SQL blocks do not correctly validate and handle malicious user input. Oracle implemented a special variable type for APEX called ''Substitution Variables'' (with a syntax of &NAME.) and these are not safe and lead to SQL Injection. Where the injection occurs within a PL/SQL block an attacker can inject an arbitrary number of queries or statements to execute. Escaping special characters and using bind variables is the right way to code to ensure no XSS and SQL injection.

Cross-Site Scripting vulnerabilities arise in APEX applications just like other web application languages. Oracle provides the htf.escape_sc() function to escape user data that is displayed within a rendered HTML response. The reports that APEX generates also provide protection against XSS through the ''Display As'' setting on report columns. Originally the default was for reports to be created without any escaping of the columns, although recent versions now set the column type to escape by default. Column definitions can be queried programmatically to check for columns that do not escape the value.

To control access to resources within an APEX application a developer can assign authorization schemes to resources (such as pages and items). These must be applied consistently in order to ensure that resources are appropriately protected. A typical example of inconsistent access-control being applied is where an authorization scheme is set for a ''Button'' item, but not the associated ''Process'' that is performed when the button is clicked. A malicious user can perform the process (through JavaScript) without requiring the actual Button to be accessible.

Since APEX 4.0, the Application Builder interface provides some limited assessment of the security posture through the Advisor utility.

Third-party libraries

Developers may improve and extend their APEX applications by using third-party libraries that APEX comes standard with. Among them are jQuery Mobile (HTML5 based user interface), jQuery UI (user interface for the web), AnyChart (JavaScript/HTML5 charts), CKEditor (web text editor), and others. Experts say it is an advantage of applying the latest APEX patches that the external libraries that come with APEX carry an update, too. However, many of the libraries come out with newer versions more frequently than there are APEX patches.

APEX and Oracle Database Express Edition (XE)

Oracle APEX can be run inside Oracle Database Express Edition (XE), a free entry-level database. Although the functionality of APEX isn't intentionally limited when running on XE, the limitations of the database engine may prevent some APEX features from functioning. Also, Oracle XE has limits for CPU, memory and disk usage.

APEX and Oracle Autonomous Database

With Oracle APEX and Autonomous Database, the configuration, patching, monitoring, and upgrading of all Oracle APEX components is fully managed by Oracle. Developers can therefore focus on application development and deployment without any hassles of upkeep or manual maintenance. The feature functionality includes Oracle SQL Developer Web (database actions), Oracle REST Data Services (ORDS), Oracle XML DB features, Spatial and more.

APEX Service

Oracle APEX Application Development, also known as APEX Service is a fully managed low-code application development and deployment platform in Oracle Cloud Infrastructure (OCI). With this service, developers get APEX and an underlying Oracle Autonomous Database. This service also includes SQL Developer Web (Database Actions) for database actions and Oracle REST Data Services (ORDS).

See also

*Oracle SQL Developer

References

Bibliography

*
*
*

*
*
*
*
*
*
*
*
*
*

External links

*
*Oracle APE
DocumentationOracle APEX DiscussionsOracle APEX Ideas and Feature RequestsAPEX World - Oracle Application Express Community siteSites built with Oracle APEXOracle APEX Plugins built by the developer communityAPEX GitHub repository contains starter apps and sample codeOracle Application Express Translations created by the APEX community

{{Oracle

Oracle software
Freeware
2004 software
Web frameworks