Oracle Application Express
||This article appears to be written like an advertisement. (August 2010)|
|Stable release||4.2.5 / April 9, 2014|
|Operating system||Linux and Windows|
|Type||Oracle database development environment|
|License||Oracle Technical Network License (Proprietary)|
Oracle Application Express (Oracle APEX, previously named Oracle HTML DB) is a software development environment running inside the Oracle database. Oracle Application Express is free of charge and can be run inside Oracle Database Express Edition (also free product). During installation of Oracle Database Express Edition, Oracle APEX is installed by default, however Oracle APEX can be installed in any other Oracle Database Editions for free. If Oracle APEX is running inside Oracle Database Express Edition the functionality is limited by limitation of Oracle Database Express Edition ( - e.g. CPU limit or memory limit).
Using only a web browser, an inexperienced programmer can use APEX to build complex web applications from scratch.
Oracle Application Express can be installed in an Oracle 9.2 or higher database, and starting from Oracle 11g it will be preinstalled along with the database. APEX 4.0 and higher can be installed on an Oracle 10.2.0.3 or higher database.
|HTML DB||1.5||2004||First release |
|HTML DB||1.6||2004||Added themes |
|HTML DB||2.0||2005||Added SQL Workshop |
|Application Express||2.1||January 2006||HTMLDB was renamed to APEX. Version 2.1 of APEX was bundled with the free Oracle Express Edition (XE) database.|
|Application Express||2.2||2006||Packaged Applications |
|Application Express||3.0||2007||This version featured several new features, including PDF Printing, Flash charting and Access Application Migration |
|Application Express||3.0.1||July 2007||This version could also be installed into an Oracle XE database.|
|Application Express||3.1||Spring 2008||This included a new major feature known as Interactive Reporting (enabled end-users to customize a report without programmer intervention, using techniques such as filtering, sorting, group-by, choosing displayed columns, etc. The user can even save multiple versions of their customized reports. The programmer can limit which features are enabled). Also added support for BLOB data type |
|Application Express||3.2||2009||Forms conversion |
|Application Express||4.1||August 2011||Notable new features included improved (customized) error handling, use of ROWID for updates, a data upload feature for end-users, and improved WebSheets (a hybrid of a spreadsheet and a Wiki, built using Apex itself).|
|Application Express||4.1.1||February 2012||Notable new features included new theme (cloudy) and various templates.|
|Application Express||4.2||October 2012||Notable new features such as application builder for mobile, mobile and responsive themes, and HTML5 support.|
|Application Express||4.2.1||December 2012||Bug Fixes.|
|Application Express||4.2.2||April 2013||Bug Fixes, Improved PDF printing, new Survey Builder packaged application|
|Application Express||4.2.3||September 2013||This is a cumulative patch set for Application Express 4.2.0, Application Express 4.2.1, and Application Express 4.2.2|
|Application Express||4.2.4||December 2013||This is a cumulative patch set for Application Express 4.2.0, Application Express 4.2.1, Application Express 4.2.2 and Application Express 4.2.3|
|Application Express||4.2.5||April 2014||This is a cumulative patch set for Application Express 4.2.0, Application Express 4.2.1, Application Express 4.2.2, Application Express 4.2.3 and Application Express 4.2.4|
Historically speaking, Application Express has gone through many name changes since its inception in 2000. A reasonably complete history of the names includes:
- Oracle Platform
- Project Marvel
- HTML DB
- Application Express (APEX)
One popular misconception is that Application Express is merely new version of Web DB. Mike Hichwa created Web DB, a successful web front-end for Oracle, but the development of Web DB started to move in a direction that diverged from Mike's vision. When tasked with building an internal web calendar, Mike enlisted the help of Joel Kallman and started "Flows". They co-developed the Web Calendar and Flows, adding features to Flows as they needed them to develop the calendar. In the earliest days of Flows, there was no front-end for it, so all changes to an application were made in SQL*Plus via inserts, updates and deletes. In some ways APEX is an evolution of Web DB, but it was developed with new code and no upgrade path.
A popular application developed in Application Express is the AskTom application developed by Thomas Kyte. Oracle's Metalink support site had been running on APEX, but was eventually replaced by an Oracle ADF version. Oracle's online store also runs on APEX.
- DBAs familiar with PL/SQL can use their skill set to develop web applications
- Easy to create mock-ups using pre-built themes
- Easy to deploy (end user opens a URL to access an APEX application)
- Scalable (can be deployed to laptops, stand-alone servers, or Oracle RAC installations)
- Server-side processing and validations
- Strong and supportive user community (especially Oracle APEX forum)
- Basic support for group development
- Free hosting of demo applications provided by Oracle
- Apex applications can run on the free Oracle Express Edition (XE) database
- Individual components of an application can be retrieved or identified using SQL, facilitating customized reports
- Easily adheres to the SQA development/test/production model (while not exposing DB passwords)
- Easily supports a standardized theme across application sets (and the changing of that theme)
- Semi-technical end users can build their own web pages and reports
- Large installation size. The unzipped installation files for Apex 4.1 that includes 9 different languages for the "Application Builder" interface is 747 megabytes. The English-only version is 147 megabytes. Apex is installed on the database server; developers and users only need a web browser to build and use applications.
- Primary keys can be at most two separate fields. However since version 4.1 Application Express supports the use of ROWID for updates, inserts and deletes as an alternative to specifying primary keys. Prior to version 4.1 APEX assumed by default that all tables would use generated keys such as from sequences or triggers, therefore, if a table had more than two key columns then the default DML processes could not be used.
- Pages in APEX can display at most 200 items and forms cannot handle more than 200 database items. Compare this to the Oracle Database where tables can have up to 1000 columns. Pages must be designed to work around this limitation, for example by using multiple pages, tabular forms, or Ajax for on-demand updates.
- APEX applications are created using Oracle's own tools and only can be hosted in an Oracle database, making an implementer susceptible to vendor lock-in.
- Very few webhosts offer APEX (Oracle Database) on their hosting service package (most of them offer PHP + MySQL or ASP + Microsoft SQL Server). As a result, APEX applications are limited in their choice of webhosts.
- Projects requiring multiple developers to touch the same web page will need to communicate their intentions with each other. There is no built in version control and all components must be edited through the web interface. Page locking can help guard against physical dependencies.
There is a common misconception that the abstracted nature of APEX applications results in a relatively secure user environment. However, APEX applications suffer from the same classes of application security flaws as other web applications based on more direct technologies such as PHP, ASP.net and Java.
APEX applications inherently use PL/SQL constructs as the base server-side language. As well as accessing data via PL/SQL blocks, an APEX application will use PL/SQL to implement authorization, and to conditionally display web page elements. This means that generally APEX applications suffer from SQL injection when these PL/SQL blocks do not correctly validate and handle malicious user input. Oracle implemented a special variable type for APEX called Substitution Variables (with a syntax of &NAME.) and these are not safe and lead to SQL Injection. Where the injection occurs within a PL/SQL block an attacker can inject an arbitrary number of queries or statements to execute. Escaping special characters and using bind variables is the right way to code to ensure no XSS and SQL injection.
Cross-Site Scripting vulnerabilities arise in APEX applications just like other web application languages. Oracle provide the htf.escape_sc() function to escape user data that is displayed within a rendered HTML response. The reports that APEX generates also provide protection against XSS through the Display As setting on report columns. Originally the default was for reports to be created without any escaping of the columns, although recent versions now set the column type to escape by default. Column definitions can be queried programmatically to check for columns that do not escape the value.
Since APEX 4.0, the Application Builder interface provides some limited assessment of the security posture through the Advisor utility.
Same in Above Details.
- "Limitations of the Express Edition". Oracle Corporation. Retrieved 22 May 2013.
- "What is Application Express?". Oracle.
- "APEX Overview". Oracle Corporation. Retrieved 16 September 2012.
- "Michael Hichwa". Apress. "Michael Hichwa is the original developer and architect of Oracle Application Express (APEX), aka HTML DB. Michael created APEX as a 100% rewrite of an earlier browser-based application development tool he also created, called Oracle WebDB. He had invaluable technical assistance and guidance from Tom Kyte and the addition of Joel Kallman as a co-developer. Michael and Joel have led APEX developments efforts since 1999"
- Introducing My Oracle Support
- Beckmann, Ralf (October 1, 2013), Oracle Application Express in der Praxis: Mit APEX datenbankbasierte Webanwendungen entwickeln (1st ed.), Carl Hanser Verlag, p. 416, ISBN 978-3446438965
- Williamson, Jason (January 22, 2012), Oracle Application Express: Fast Track to Modern Web Applications (1st ed.), McGraw-Hill Osborne Media, p. 416, ISBN 0-07-166344-4
- Cimolini, Patrick (September 12, 2011), Agile Oracle Application Express (1st ed.), Apress, p. 200, ISBN 1-4302-3759-7
- Mattamal, Raj; Nielsen, Anton (July 28, 2011), Expert Oracle Application Express Plugins: Building Reusable Components (1st ed.), Apress, p. 300, ISBN 1-4302-3503-9
- Fox, Tim; Scott, John; Spendolini, Scott (June 29, 2011), Pro Oracle Application Express 4 (2ed ed.), Apress, p. 700, ISBN 1-4302-3494-6
- Zehoo, Edmund (June 15, 2011), Oracle Application Express 4 Recipes (1st ed.), Apress, p. 300, ISBN 1-4302-3506-3
- Lancaster, Mark (May 28, 2011), Oracle Application Express 4.0 with Ext JS (1st ed.), Packt Publishing, p. 392, ISBN 1-84968-106-6
- Aust, Dietmar; D'Souza, Martin Giffy; Gault, Doug; Gielis, Dimitri; Hartman, Roel; Hichwa, Michael; Kennedy, Sharon; Kubicek, Denes; Mattamal, Raj; McGhan, Dan; Mignault, Francis; Nielsen, Anton; Scott, John (May 16, 2011), Expert Oracle Application Express (1st ed.), Apress, p. 500, ISBN 1-4302-3512-8
- Gault, Doug; Cannell, Karen; Cimolini, Patrick; D'Souza, Martin Giffy; Hilaire, Timothy St. (March 31, 2011), Beginning Oracle Application Express 4 (1st ed.), Apress, p. 440, ISBN 1-84968-134-1
- Zoest, M. van; der Pla, M. van (December 14, 2010), Oracle APEX 4.0 Cookbook (1st ed.), Packt Publishing, p. 328, ISBN 1-4302-3147-5
- Geller, Arie; Lyon, Matthew (June 1, 2010), Oracle Application Express 3.2 – The Essentials and More (1st ed.), Packt Publishing, p. 520, ISBN 1-84719-452-4
- van den Bos, Douwe Pieter (July 29, 2009), Oracle Application Express Forms Converter (1st ed.), Packt Publishing, p. 172, ISBN 1-84719-776-0
- Greenwald, Rick (December 22, 2008), Beginning Oracle Application Express (1st ed.), Wrox, p. 384, ISBN 0-470-38837-4
- Scott, John; Spendolini, Scott (September 16, 2008), Pro Oracle Application Express (1st ed.), Apress, p. 700, ISBN 1-59059-827-X