Chapter 4

Item Protection

Items in APEX are defined on pages, or as shared components that have application or global scope (we’ll call these application items). Page items can also be considered as form items, because each item type is represented by an HTML element (text box, select list, hidden). Application items are not form items, and could be thought of as server-side variables.

Item values are stored in session state, and their values persist while the user has a valid session. The values for items can be set within the item definition, giving a default value. The values can change due to user requests (such as a form submission) or due to server-side PL/SQL code (for example, in a process). Users can set any item within the application, but can only read item values for items that are presented within a page, or that are disclosed purposely by the developer in other ways (such as via an Ajax call).

Unless an item is initialized on a page, it will have the current value from session state; the value for an item that is set on one page can be accessed by any other page (within the same session).

THE PROBLEM

In older versions of APEX, all items were unprotected and could be set by a user either via the URL or via an HTTP Post request such as submitting an HTML form. This could be relatively dangerous, depending on the behavior of the application. It is possible to write a secure application without protecting any items, as long as the values for items are sufficiently validated ...

Get Hands-On Oracle Application Express Security now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.