Database Reference
In-Depth Information
If you enter this password
I_dont_know OR 'x' = 'x
the resulting SQL is
SELECT COUNT(*) FROM users
WHERE username = 'SCOTT'
AND password = 'I_dont_know' OR 'x' = 'x'
This SQL statement erroneously returns 1 , indicating True , rather than No data
found . The user is allowed in! Not good. To prevent the injection of unintended SQL,
use bind variables in the SQL query, like so:
SELECT COUNT(*) FROM users
WHERE username = :USERNAME
AND password = :PASSWORD
Now try entering the following as your password:
I_dont_know OR 'x' = 'x
Unless this entire string is specifically your password, the database returns No
data found . Your attempt to sneak past the login fails.
We recommend the use of bind variables whenever possible. They prevent SQL in-
jection and improve SQL performance.
Built-In Items
APEX includes several built-in items for referencing key APEX application-wide
session-state values. These are set automatically by APEX and available for reference
by the developer throughout APEX. The most common of these are as follows:
APP_ID : The application identifier of the currently running application
APP_ALIAS : The application alias of the currently running application
APP_USER : The currently signed-on user
APP_SESSION : The session identifier of the currently signed-on user
Search WWH ::




Custom Search