This article may have been created or edited in return for undisclosed payments, a violation of Wikipedia's terms of use. It may require cleanup to comply with Wikipedia's content policies, particularly neutral point of view. (March 2024)
APEX is a feature of the Oracle Database. It is a part of Oracle Cloud within Autonomous Database Cloud Services and the stand-alone APEX Application Development service.[3]
Oracle APEX has had name changes since its creation in 2000, including:
APEX was created by Michael Hichwa, an Oracle developer. Following from his earlier project, WebDB. When tasked with building an internal web calendar, Michael Hichwa employed Joel Kallman and began developing Flows. Hichwa and Kallman also co-developed the web calendar, adding features to Flows as they needed them to develop the calendar. Early builds of Flows had no front-end, so all changes to an application had to be made in SQL Plus via inserts, updates and deletes.[8]
With version 5.2, the numbering was changed to 18.1, indicating the year and quarter of release. This change is associated with Oracle's change in numbering nomenclature.
Low-code environment
Oracle APEX is a low-code development platform. These low-code environments can trace their origins to fourth-generation programming languages and rapid application development (RAD) tools. Since APEX was originally marketed as a RAD tool, this progression is a logical one. APEX allows users to build web applications with no code. When the requirements are more complex, APEX allows the extension of the low-code objects through a declarative framework. This framework lets the developer define custom logic, business rules, and user interfaces. The developer can do this through the inclusion of SQL, PL/SQL, HTML, JavaScript, or CSS as well as APEX plug-ins. APEX permits developers to go from no code to low-code to more code.[9][10]
APEX applications are subject to the same application security risks as other web-based applications based on more direct technologies such as PHP, ASP.NET and Java.
APEX applications inherently use PL/SQL constructs as the base server-side language and access data via PL/SQL blocks, an APEX application will use PL/SQL to implement authorization and to conditionally display web page elements. This means that generally APEX applications suffer from SQL injection when these PL/SQL blocks do not correctly validate and handle malicious user input. Oracle implemented a special variable type for APEX called Substitution Variables (with a syntax of "&NAME."); however, these are insecure and can lead to SQL injection. Where the injection occurs within a PL/SQL block, an attacker can inject an arbitrary number of queries or statements to execute; escaping special characters and using bind variables ensures the reduced likelihood of XSS and SQL injection vulnerabilities.
XSS vulnerabilities arise in APEX applications just like other web application languages. Oracle provides the htf.escape_sc() function to replace literal characters with HTML entity names and avoid undesired behaviors.[12]
A developer can assign authorization schemes to resources (such as pages and items) to control access within an APEX application. These schemes must be applied uniformly to ensure resources are adequately protected. One example of inconsistent access control occurs when an authorization scheme is assigned to a button item but not to the associated process triggered by the button. In such cases, a user could potentially execute the process through JavaScript without requiring access to the button itself.
Since APEX 4.0, the Application Builder interface has included a utility called Advisor, which provides a basic assessment of an application’s security posture.
Third-party libraries
Developers may improve and extend their APEX applications by using third-party libraries. Among them are JQuery Mobile (HTML 5-based user interface),[13]JQuery UI (user interface for the web),[14]AnyChart (JavaScript/HTML 5 charts),[15]CKEditor (web text editor),[16] and others. Oracle states that applying the latest APEX patches ensures that the external libraries bundled with the platform are updated alongside it, enhancing application stability and security.[17] However, many of the libraries are updated more frequently than APEX patches are released, requiring developers to monitor and manually apply updates as necessary to maintain compatibility and security.[18][19]
APEX and Oracle Database Express Edition (XE)
Oracle APEX can be run inside Oracle Database Express Edition (XE), a free entry-level database. Although the functionality of APEX isn't intentionally limited when running on XE, the limitations of the database engine may prevent some APEX features from functioning. Furthermore, Oracle XE has limits for CPU, memory, and disk usage.[20]
^"Michael Hichwa". Apress. Michael Hichwa is the original developer and architect of Oracle Application Express (APEX), aka HTML DB. Michael created APEX as a 100% rewrite of an earlier browser-based application development tool he also created, called Oracle WebDB. He had invaluable technical assistance and guidance from Tom Kyte and the addition of Joel Kallman as a co-developer. Michael and Joel have led APEX development efforts since 1999
