Databases Reference
In-Depth Information
The Importance of Bind Variables
When referencing APEX item values, particularly in SQL queries in your APEX application, it's important to think
about SQL security basics, including SQL injection. Consider the example of an online form that allows a user to sign
on with a username and password, which ultimately executes this query:
SELECT COUNT(*) FROM users
WHERE username = '&username'
AND password = '&password'
If you enter this password
I_dont_know OR 'x' = 'x
the resulting SQL is
SELECT COUNT(*) FROM users
WHERE username = 'SCOTT'
AND password = 'I_dont_know' OR 'x' = 'x'
This SQL statement erroneously returns
1
, indicating
True
, rather than
No data found
. The user is allowed in!
Not good. To prevent the injection of unintended SQL, use bind variables in the SQL query, like so:
SELECT COUNT(*) FROM users
WHERE username = :USERNAME
AND password = :PASSWORD
Now try entering the following as your password:
I_dont_know OR 'x' = 'x
Unless this entire string is specifically your password, the database returns
No data found
. Your attempt to sneak
past the login fails.
We recommend the use of bind variables whenever possible. They prevent SQL injection and improve SQL
performance.
Built-In Items
APEX includes several built-in items for referencing key APEX application-wide session-state values. These are set
automatically by APEX and available for reference by the developer throughout APEX. The most common of these are
as follows:
APP_ID
: The application identifier of the currently running application
•
APP_ALIAS
: The application alias of the currently running application
•
APP_USER
: The currently signed-on user
•
APP_SESSION
: The session identifier of the currently signed-on user
•
APP_PAGE_ID
: The currently running page identifier
•
