Database Reference
In-Depth Information
If you enter this password
I_dont_know OR 'x' = 'x
the resulting SQL is
SELECT COUNT(*) FROM users
WHERE username = 'SCOTT'
AND password = 'I_dont_know' OR 'x' = 'x'
This SQL statement erroneously returns
1
, indicating
True
, rather than
No data
found
. The user is allowed in! Not good. To prevent the injection of unintended SQL,
use bind variables in the SQL query, like so:
SELECT COUNT(*) FROM users
WHERE username = :USERNAME
AND password = :PASSWORD
Now try entering the following as your password:
I_dont_know OR 'x' = 'x
Unless this entire string is specifically your password, the database returns
No
data found
. Your attempt to sneak past the login fails.
We recommend the use of bind variables whenever possible. They prevent SQL in-
jection and improve SQL performance.
Built-In Items
APEX includes several built-in items for referencing key APEX application-wide
session-state values. These are set automatically by APEX and available for reference
by the developer throughout APEX. The most common of these are as follows:
•
APP_ID
: The application identifier of the currently running application
•
APP_ALIAS
: The application alias of the currently running application
•
APP_USER
: The currently signed-on user
•
APP_SESSION
: The session identifier of the currently signed-on user