Oracle Application Express

Oracle APEX
Developer(s)	Oracle Corporation
Stable release	24.2 / January 15, 2025
Operating system	Windows, Linux, Oracle Solaris, HP-UX, IBM AIX
License	Oracle Technical Network License (proprietary)
Website	apex.oracle.com

Oracle APEX (Oracle Application Express) is a low-code application development platform developed by Oracle Corporation. APEX is used for developing and deploying cloud, mobile and desktop applications. It has a web-based integrated development environment (IDE) that includes tools such as wizards, drag-and-drop layout builders, and property editors.

Background

APEX is a feature of the Oracle Database. It is a part of the Oracle Cloud within the Autonomous Database Cloud Services and the stand-alone APEX Application Development service.^[3]

Oracle APEX has had name changes since its creation in 2000, including:

Flows^[4]
Oracle Platform^[5]
Project Marvel^[6]
HTML DB^[7]
Application Express (APEX) aka Oracle APEX^[7]

History

APEX was created by Oracle developer Michael Hichwa following his earlier project, WebDB. While building an internal web calendar, Hichwa collaborated with fellow Oracle employee Joel Kallman to develop Flows. Together, they co-developed the web calendar, adding features to Flows as they needed them to develop the calendar. Early builds of Flows had no front-end, so all changes to an application were made in SQL Plus via insert, update and delete commands.^[8]

With version 5.2, the numbering system was changed to align with the year and quarter of the release, renaming it to 18.1. This change is consistent with Oracle's change in numbering nomenclature.

Low-code environment

Oracle APEX is a low-code development platform, a type of environment that can trace their origins to fourth-generation programming languages and rapid application development (RAD) tools.

APEX allows users to build web applications with a "no code" graphical user interface. However, when the requirements are more complex, APEX allows the extension of the low-code objects through a declarative framework. This framework lets the developer define custom logic, business rules, and user interfaces. The developer can do this through the inclusion of SQL, PL/SQL, HTML, JavaScript, or CSS as well as APEX plug-ins.^[9]^[10]

Security

APEX applications are subject to the same level of application security risks as other web-based applications built on more direct technologies such as PHP, ASP.NET and Java. However, since APEX 4.0, the Application Builder interface has included a utility called Advisor, which provides a basic assessment of an application’s security posture.

The two main vulnerabilities that affect APEX applications are SQL injection and cross-site scripting (XSS).^[11]

SQL Injection

APEX applications inherently use PL/SQL constructs as the base server-side language and access data via PL/SQL blocks.^[12] An APEX application will use PL/SQL to implement authorization and to conditionally display web page elements. Because of this, APEX applications can suffer from an SQL injection when these PL/SQL blocks do not correctly validate and handle malicious user input.^[13]

Oracle implemented a special variable type for APEX called Substitution Variables (with a syntax of "&NAME."); however, these are insecure and can lead to SQL injections. When an injection occurs within a PL/SQL block, an attacker can inject an arbitrary number of queries or statements to execute. Escaping special characters and using bind variables can reduce, but not remove, XSS and SQL injection vulnerabilities.

Cross-Site Scripting (XSS)

XSS vulnerabilities arise in APEX applications just like in other web application languages. To counteract this, Oracle provides the htf.escape_sc() function to replace literal characters with HTML entity names and avoid undesired behaviors.^[14]

A developer can use authorization schemes to manage access to resources like pages and items within an APEX application. To ensure proper security, these schemes must be consistently applied across all relevant resources. An example of inconsistent access control arises when an authorization scheme is applied to a button item but not to the process linked to that button. This inconsistency could allow a user to trigger the process directly via JavaScript, bypassing the button entirely.

Third-party libraries

Developers may improve and extend APEX applications by using third-party libraries. Among them are JQuery Mobile (HTML 5-based user interface),^[15] JQuery UI (user interface for the web),^[16] AnyChart (JavaScript/HTML 5 charts),^[17] CKEditor (web text editor),^[18] and others. Oracle claims that applying the latest APEX patches ensures that the external libraries bundled with the platform are updated in tandem, which theoretically enhances application stability and security.^[19] However, many of the libraries are updated more frequently than APEX patches are released, requiring developers to monitor and manually apply updates as necessary to maintain compatibility and security.^[20]^[21]

APEX and Oracle Database Express Edition (XE)

Oracle APEX can be run inside Oracle Database Express Edition (XE), a free entry-level database. Although the functionality of APEX isn't intentionally limited when running on XE, the limitations of the database engine may prevent some APEX features from functioning. Furthermore, Oracle XE has limits for CPU, memory, and disk usage.^[22]

References

^ "Oracle Application Express - Downloads". Oracle. Retrieved December 10, 2015.
^ "Oracle Application Express Documentation". Oracle Help Center.
^ "Oracle Application Express (APEX): Overview" (PDF). Oracle Corporation.
^ "Welcome to Flows for APEX". apex-flowsforapex. Retrieved September 24, 2021.{{cite web}}: CS1 maint: url-status (link)
^ "Implementing Oracle API Platform Cloud Service". Packt. Retrieved September 24, 2021.
^ "how i get benefit from project marble". forums.oracle.com. September 17, 2002.{{cite web}}: CS1 maint: url-status (link)
^ ^a ^b "Appendix: Oracle APEX". docs.oracle.com. Retrieved January 26, 2025.
^ "Michael Hichwa". Apress. Michael Hichwa is the original developer and architect of Oracle Application Express (APEX), aka HTML DB. Michael created APEX as a 100% rewrite of an earlier browser-based application development tool he also created, called Oracle WebDB. He had invaluable technical assistance and guidance from Tom Kyte and the addition of Joel Kallman as a co-developer. Michael and Joel have led APEX development efforts since 1999
^ Kallman, Joel. "From Low Code to High Control". Retrieved November 27, 2017.
^ "Low Code with Oracle Application Express". apex.oracle.com. Retrieved November 27, 2017.
^ "Securing Vulnerability Exploits with Apex – Part 3". content.dsp.co.uk. Retrieved October 8, 2024.
^ Alpern, D.; Agrawal, S.; Baer, H.; Castledine, S.; Chang, T.; Cheng, B.; Dani, R.; Decker, R.; Iyer, C. "Overview of PL/SQL". Oracle Help Center. Retrieved January 24, 2025.
^ "Using Oracle APEX". enterprisearchitecture.harvard.edu. Retrieved January 24, 2025.
^ "Fusion Middleware PL/SQL Web Toolkit Reference". docs.oracle.com. Retrieved October 8, 2024.
^ "Building a Mobile Web Application Using Oracle Application Express 5.0". Oracle.
^ "Application Express Application Builder User's Guide". Oracle.
^ "Oracle APEX: Using AnyChart products with Oracle Application Express (APEX)". AnyChart.
^ "Oracle chooses FCKeditor for Application Express". CKEditor.com.
^ "Oracle Application Express (APEX) Patches". Oracle Base. Retrieved December 30, 2024.
^ "Goodies - APEX 4.2.2 included Libraries". Dimitri Gielis Blog. May 8, 2013. Retrieved December 10, 2015.
^ "APEX 5 first peek". Grassroots Oracle. March 17, 2014. Retrieved December 10, 2015.
^ "Limitations of the Express Edition". Oracle Corporation. Retrieved May 22, 2013.

Bibliography

Beckmann, Ralf (October 1, 2013), Oracle Application Express in der Praxis: Mit APEX datenbankbasierte Webanwendungen entwickeln (1st ed.), Carl Hanser Verlag, p. 416, ISBN 978-3446438965
Cimolini, Patrick (September 12, 2011), Agile Oracle Application Express (1st ed.), Apress, p. 200, ISBN 978-1-4302-3759-4
Mattamal, Raj; Nielsen, Anton (July 28, 2011), Expert Oracle Application Express Plugins: Building Reusable Components (1st ed.), Apress, p. 300, ISBN 978-1-4302-3503-3
Fox, Tim; Scott, John; Spendolini, Scott (June 29, 2011), Pro Oracle Application Express 4 (2 ed.), Apress, p. 700, ISBN 978-1-4302-3494-4
Zehoo, Edmund (June 15, 2011), Oracle Application Express 4 Recipes (1st ed.), Apress, p. 300, ISBN 978-1-4302-3506-4
Lancaster, Mark (May 28, 2011), Oracle Application Express 4.0 with Ext JS (1st ed.), Packt Publishing, p. 392, ISBN 978-1-84968-106-3
Aust, Dietmar; D'Souza, Martin Giffy; Gault, Doug; Gielis, Dimitri; Hartman, Roel; Hichwa, Michael; Kennedy, Sharon; Kubicek, Denes; Mattamal, Raj; McGhan, Dan; Mignault, Francis; Nielsen, Anton; Scott, John (May 16, 2011), Expert Oracle Application Express (1st ed.), Apress, p. 500, ISBN 978-1-4302-3512-5
Gault, Doug; Cannell, Karen; Cimolini, Patrick; D'Souza, Martin Giffy; Hilaire, Timothy St. (March 31, 2011), Beginning Oracle Application Express 4 (1st ed.), Apress, p. 440, ISBN 978-1-84968-134-6
van Zoest, M.; van der Plas, Marcel (December 14, 2010), Oracle APEX 4.0 Cookbook (1st ed.), Packt Publishing, p. 328, ISBN 978-1-4302-3147-9
Geller, Arie; Lyon, Matthew (June 1, 2010), Oracle Application Express 3.2 – The Essentials and More (1st ed.), Packt Publishing, p. 520, ISBN 978-1-84719-452-7
van den Bos, Douwe Pieter (July 29, 2009), Oracle Application Express Forms Converter (1st ed.), Packt Publishing, p. 172, ISBN 978-1-84719-776-4
Greenwald, Rick (December 22, 2008), Beginning Oracle Application Express (1st ed.), Wrox, p. 384, ISBN 978-0-470-38837-2
Scott, John; Spendolini, Scott (September 16, 2008), Pro Oracle Application Express (1st ed.), Apress, p. 700, ISBN 978-1-59059-827-6

External links

Official website

[oracle-downloads-1] "Oracle Application Express - Downloads". Oracle. Retrieved December 10, 2015.

[2] "Oracle Application Express Documentation". Oracle Help Center.

[3] "Oracle Application Express (APEX): Overview" (PDF). Oracle Corporation.

[4] "Welcome to Flows for APEX". apex-flowsforapex. Retrieved September 24, 2021.{{cite web}}: CS1 maint: url-status (link)

[5] "Implementing Oracle API Platform Cloud Service". Packt. Retrieved September 24, 2021.

[6] "how i get benefit from project marble". forums.oracle.com. September 17, 2002.{{cite web}}: CS1 maint: url-status (link)

[:0-7] "Appendix: Oracle APEX". docs.oracle.com. Retrieved January 26, 2025.

[8] "Michael Hichwa". Apress. Michael Hichwa is the original developer and architect of Oracle Application Express (APEX), aka HTML DB. Michael created APEX as a 100% rewrite of an earlier browser-based application development tool he also created, called Oracle WebDB. He had invaluable technical assistance and guidance from Tom Kyte and the addition of Joel Kallman as a co-developer. Michael and Joel have led APEX development efforts since 1999

[9] Kallman, Joel. "From Low Code to High Control". Retrieved November 27, 2017.

[10] "Low Code with Oracle Application Express". apex.oracle.com. Retrieved November 27, 2017.

[11] "Securing Vulnerability Exploits with Apex – Part 3". content.dsp.co.uk. Retrieved October 8, 2024.

[12] Alpern, D.; Agrawal, S.; Baer, H.; Castledine, S.; Chang, T.; Cheng, B.; Dani, R.; Decker, R.; Iyer, C. "Overview of PL/SQL". Oracle Help Center. Retrieved January 24, 2025.

[13] "Using Oracle APEX". enterprisearchitecture.harvard.edu. Retrieved January 24, 2025.

[14] "Fusion Middleware PL/SQL Web Toolkit Reference". docs.oracle.com. Retrieved October 8, 2024.

[15] "Building a Mobile Web Application Using Oracle Application Express 5.0". Oracle.

[16] "Application Express Application Builder User's Guide". Oracle.

[17] "Oracle APEX: Using AnyChart products with Oracle Application Express (APEX)". AnyChart.

[18] "Oracle chooses FCKeditor for Application Express". CKEditor.com.

[19] "Oracle Application Express (APEX) Patches". Oracle Base. Retrieved December 30, 2024.

[20] "Goodies - APEX 4.2.2 included Libraries". Dimitri Gielis Blog. May 8, 2013. Retrieved December 10, 2015.

[21] "APEX 5 first peek". Grassroots Oracle. March 17, 2014. Retrieved December 10, 2015.

[Limitations_of_the_Express_Edition-22] "Limitations of the Express Edition". Oracle Corporation. Retrieved May 22, 2013.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

[19]

[20]

[21]

[22]

v t e Web frameworks
Comparison
.NET	ASP.NET Core AJAX Dynamic Data MVC Razor Web Forms Blazor DNN BFC MonoRail Umbraco WebSharper
C++	CppCMS Drogon Wt
ColdFusion	ColdBox Platform
Common Lisp	CL-HTTP
Haskell	Servant Snap Yesod
Java	AppFuse Grails GWT ICEfaces JHipster JWt Mojarra Play Remote Application Platform Seam Sling Spring Stripes Struts Tapestry Vaadin Vert.x Wicket WaveMaker ZK
JavaScript	Angular/AngularJS Backbone.js Closure Dojo Toolkit Ember.js Express.js Ext JS Fastify htmx jQuery Knockout.js Meteor MooTools NestJS Next.js Nuxt.js Node.js OpenUI5 Prototype React Remix Sencha Touch SproutCore Svelte Vue.js
Perl	Catalyst Dancer Maypole Mojolicious WebGUI
PHP	CakePHP CodeIgniter Drupal eZ Publish Fat-Free Flow FuelPHP Grav Gyroscope Horde Joomla! Laminas Laravel li₃ Midgard MODX Phalcon PHP-Fusion PHP-Nuke Pop PHP PRADO ProcessWire Qcodo Silverstripe Symfony TYPO3 WordPress XOOPS Yii
Python	BlueBream CherryPy CubicWeb Django FastAPI Flask Grok Nevow Pyjs Pylons Pyramid Quixote Tornado TurboGears web2py Zope 2 more...
Ruby	Merb Padrino Ruby on Rails Sinatra
Rust	Rocket
Scala	Lift Play Scalatra
Smalltalk	AIDA/Web Seaside
Other languages	Application Express (PL/SQL) Grails (Groovy) OpenACS (Tcl) Phoenix (Elixir) Shiny (web framework) (R) SproutCore (JavaScript-Ruby) Yaws (Erlang)

v t e Oracle Corporation
Corporate directors	Jeffrey Berg H. Raymond Bingham Michael Boskin Safra Catz Larry Ellison Héctor García-Molina Joseph Grundfest Jeffrey O. Henley Mark Hurd Jack F. Kemp Donald L. Lucas Naomi O. Seligman
Acquisitions (list)	Sun PeopleSoft Hyperion Siebel BEA JD Edwards RightNow Virtual Iron TimesTen Sunopsis NetSuite Cerner
Databases	Oracle Database MySQL InnoDB Berkeley DB TimesTen Rdb Essbase
Programming languages	Java PL/SQL
IDEs	JDeveloper Forms NetBeans Apex SQL Developer Developer Studio
Middleware	Fusion Middleware WebCenter SOA Suite WebLogic Server Coherence Tuxedo GlassFish
Operating systems	Oracle Linux Oracle Solaris
Computer hardware	Sun Fire SPARC (T-Series, Enterprise) StorageTek
Computer appliances	Oracle Exadata Oracle Exalogic Big Data Appliance
Education and recognition	Oracle Certification Program
Category