Oracle APEX (Oracle Application Express) is a low-code application development platform developed by

Oracle Corporation Oracle Corporation is an American Multinational corporation, multinational computer technology company headquartered in Austin, Texas. Co-founded in 1977 in Santa Clara, California, by Larry Ellison, who remains executive chairman, Oracle was ...

. APEX is used for developing and deploying

cloud In meteorology, a cloud is an aerosol consisting of a visible mass of miniature liquid droplets, frozen crystals, or other particles, suspended in the atmosphere of a planetary body or similar space. Water or various other chemicals may ...

, mobile and desktop

applications Application may refer to: Mathematics and computing * Application software, computer software designed to help the user to perform specific tasks ** Application layer, an abstraction layer that specifies protocols and interface methods used in a ...

. It has a web-based

integrated development environment An integrated development environment (IDE) is a Application software, software application that provides comprehensive facilities for software development. An IDE normally consists of at least a source-code editor, build automation tools, an ...

(IDE) that includes tools such as wizards,

drag-and-drop In computer graphical user interfaces, drag and drop is a pointing device gesture in which the user selects a virtual object by "grabbing" it and dragging it to a different location or onto another virtual object. In general, it can be used to ...

layout builders, and property editors.

Background

APEX is a feature of the

Oracle Database Oracle Database (commonly referred to as Oracle DBMS, Oracle Autonomous Database, or simply as Oracle) is a proprietary multi-model database management system produced and marketed by Oracle Corporation. It is a database commonly used for ru ...

. It is a part of the

Oracle Cloud Oracle Cloud is a cloud computing service offered by Oracle Corporation providing servers, storage, network, applications and services through a global network of Oracle Corporation managed data centers. The company allows th ...

within the Autonomous Database Cloud Services and the stand-alone APEX Application Development service. Oracle APEX has had name changes since its creation in 2000, including: * Flows * Oracle Platform * Project Marvel * HTML DB * Application Express (APEX) aka Oracle APEX

History

APEX was created by Oracle developer Michael Hichwa following his earlier project, WebDB. While building an internal web calendar, Hichwa collaborated with fellow Oracle employee Joel Kallman to develop Flows. Together, they co-developed the web calendar, adding features to Flows as they needed them to develop the calendar. Early builds of Flows had no front-end, so all changes to an application were made in SQL Plus via insert, update and delete commands. With version 5.2, the numbering system was changed to align with the year and quarter of the release, renaming it to 18.1. This change is consistent with Oracle's change in numbering nomenclature.

Low-code environment

Oracle APEX is a low-code development platform, a type of environment that can trace their origins to

fourth-generation programming language A fourth-generation programming language (4GL) is a high-level programming language, high-level computer programming language that belongs to a class of languages envisioned as an advancement upon third-generation programming languages (3GL). Each ...

s and

rapid application development Rapid application development (RAD), also called rapid application building (RAB), is both a general term for adaptive software development approaches, and the name for James Martin's method of rapid development. In general, RAD approaches to ...

(RAD) tools. APEX allows users to build

web application A web application (or web app) is application software that is created with web technologies and runs via a web browser. Web applications emerged during the late 1990s and allowed for the server to dynamically build a response to the request, ...

s with a " no code" graphical user interface. However, when the requirements are more complex, APEX allows the extension of the low-code objects through a declarative framework. This framework lets the developer define custom logic, business rules, and user interfaces. The developer can do this through the inclusion of

SQL Structured Query Language (SQL) (pronounced ''S-Q-L''; or alternatively as "sequel") is a domain-specific language used to manage data, especially in a relational database management system (RDBMS). It is particularly useful in handling s ...

PL/SQL PL/SQL (Procedural Language for SQL) is Oracle Corporation's procedural extension for SQL and the Oracle relational database. PL/SQL is available in Oracle Database (since version 6 - stored PL/SQL procedures/functions/packages/triggers sinc ...

HTML Hypertext Markup Language (HTML) is the standard markup language for documents designed to be displayed in a web browser. It defines the content and structure of web content. It is often assisted by technologies such as Cascading Style Sheets ( ...

JavaScript JavaScript (), often abbreviated as JS, is a programming language and core technology of the World Wide Web, alongside HTML and CSS. Ninety-nine percent of websites use JavaScript on the client side for webpage behavior. Web browsers have ...

, or CSS as well as APEX plug-ins.

Security

APEX applications are subject to the same level of application security risks as other web-based applications built on more direct technologies such as PHP,

ASP.NET ASP.NET is a server-side web-application framework designed for web development to produce dynamic web pages. It was developed by Microsoft to allow programmers to build dynamic web sites, applications and services. The name stands for Ac ...

and

Java Java is one of the Greater Sunda Islands in Indonesia. It is bordered by the Indian Ocean to the south and the Java Sea (a part of Pacific Ocean) to the north. With a population of 156.9 million people (including Madura) in mid 2024, proje ...

. However, since APEX 4.0, the Application Builder interface has included a utility called Advisor, which provides a basic assessment of an application’s security posture. The two main vulnerabilities that affect APEX applications are SQL injection and cross-site scripting (XSS). SQL Injection APEX applications inherently use PL/SQL constructs as the base server-side language and access data via PL/SQL blocks. An APEX application will use PL/SQL to implement authorization and to conditionally display web page elements. Because of this, APEX applications can suffer from an SQL injection when these PL/SQL blocks do not correctly validate and handle malicious user input. Oracle implemented a special variable type for APEX called ''Substitution Variables'' (with a syntax of "&NAME."); however, these are insecure and can lead to SQL injections. When an injection occurs within a PL/SQL block, an attacker can inject an arbitrary number of queries or statements to execute. Escaping special characters and using bind variables can reduce, but not remove, XSS and SQL injection vulnerabilities. Cross-Site Scripting (XSS) XSS vulnerabilities arise in APEX applications just like in other

languages. To counteract this, Oracle provides the htf.escape_sc() function to replace literal characters with HTML entity names and avoid undesired behaviors. A developer can use authorization schemes to manage access to resources like pages and items within an APEX application. To ensure proper security, these schemes must be consistently applied across all relevant resources. An example of inconsistent access control arises when an authorization scheme is applied to a button item but not to the process linked to that button. This inconsistency could allow a user to trigger the process directly via JavaScript, bypassing the button entirely.

Third-party libraries

Developers may improve and extend APEX applications by using third-party libraries. Among them are JQuery Mobile (HTML 5-based user interface), JQuery UI (user interface for the web), AnyChart (

/ HTML 5 charts), CKEditor (web text editor), and others. Oracle claims that applying the latest APEX patches ensures that the external libraries bundled with the platform are updated in tandem, which theoretically enhances application stability and security. However, many of the libraries are updated more frequently than APEX patches are released, requiring developers to monitor and manually apply updates as necessary to maintain compatibility and security.

APEX and Oracle Database Express Edition (XE)

Oracle An oracle is a person or thing considered to provide insight, wise counsel or prophetic predictions, most notably including precognition of the future, inspired by deities. If done through occultic means, it is a form of divination. Descript ...

APEX can be run inside Oracle Database Express Edition (XE), a free entry-level database. Although the functionality of APEX isn't intentionally limited when running on XE, the limitations of the database engine may prevent some APEX features from functioning. Furthermore, Oracle XE has limits for CPU, memory, and disk usage.

Background

History

Low-code environment

Security

Third-party libraries

APEX and Oracle Database Express Edition (XE)

See also

References

Bibliography

External links