Thursday, September 25, 2014

I am running for the ODTUG Board of Directors

After some thought, I decided I will be running for the ODTUG Board of Directors this year. I have been attending Kscope since 2008 (New Orleans). Presented at Kscope and APEXPosed since 2009. Did a few webinars. Was a member of the APEX Content Team for Kscope12 and 13. And now I am the Content Lead for the APEX track for KScope14 and Kscope15. So I like spending my free time for ODTUG, to keep Kscope the best conference out there. But ODTUG is more than Kscope. And I would love to add my time, expertise and network to ODTUG in order to do more.
So that's why I am running for the Board.

But it seems I am not the only one running.... As for four positions, there are 24 nominations. Twenty-four! That means the changes are slim, but it shows how vivid ODTUG is. Most organisations that run on volunteers have a hard time filling these kind of positions. ODTUG doesn't. I don't have a full list of names, but I now know about six of them. And they are all well known persons and excellent for the job.
So that's good for ODTUG. Good for the community. And good for you.

My campaign will be focused around internationalisation. The current Board members are all based in North America. So it is natural ODTUG's focus is in that area. But luckily there already are some initiatives to "go global" - but that's not so easy. So I would like to add the views of other regions to the board, whether it's Asia, Australia, South America or Europe. In my opinion ODTUG should go more global, in close collaboration with the local user groups. (Co-)Organising events, webinars and web pages in other languages, etc. Doing so ODTUG should be able to get more members in those areas as well.
That's good for ODTUG, That's good for the community. And good for you as well.

My second focus will be around my favourite Oracle tool of course: Oracle Application Express. So I am in favour of special events that focus in APEX - like the APEXposed we had earlier. And probably we can make this global - that would be awesome. The APEX community within ODTUG already has a strong presence. Therefor we should benefit from this presence and grow even more.
That's good for ODTUG. Good for the community. And thus good for you.

You can cast your vote between October 7 and October 28. And you have to be a paid  member to vote. But that's only $99 a year. And for that small amount of money, you are not only allowed to vote, you have also access to tons of material: articles, recorded webinars and presentations. And you get either a discount or free access to ODTUG events. So in the end ... becoming a member is a no-brainer. Thus if you haven't signed up for it: do it now.
Good for ODTUG. Good for the community. And definitely good for you!

Oh, and then don't forget to vote in October. On me .... 

Friday, September 19, 2014

What happened at the first ORCLAPEX-NL Meetup?

Yesterday the first ORCLAPEX-NL Meetup was held. Finally. We seemed to be a little behind other locations - but pretty sure we'll catch up quickly!

After (a lot of) great pizza - kindly sponsored by smart4apex - and a round of introduction of every attendee, Richard kicked off the meeting by explaining the concept of these kinds of meetups. He also gave a nice review of his first experience of Kscope during Kscope14.
The weather was summer like outside - but the real die-hards were listening and discussing inside ....

... where Dick explained the limitations and challenges of developing web applications for smart phones.
During the Open Mic Night part of the evening, Steven showed a very nice APEX Web Application developed for mobile devices. The user interface looked very good and the flow was very well thought through. And it uses some very neat features like Local Database Storage and WebWorkers to temporarily storage pictures and send them over the wire when possible without interfering the performance / flow of the application itself.
Very well done!

And finally a picture of the whole gang. Thanks Oracle for having us! Especially thanks to Iloon for arranging that hospitality!
Until next Meetup .....

Friday, September 12, 2014

What happened at the first ORCLAPEX-BE Meetup?

Yesterday I attended the first ORCLAPEX-BE Meetup. Very well organised by Dimitri and Roeland. Remarkable fact: I was not the only "foreigner" as around 30 - 40% of the - around 16 - attendees where Dutch! So Meetups can even easily cross borders ...




So after some initial socialising.... 
... ... Roeland explained the concept of these kind of meetups.






In the next hour Dimitri went over all the great new features of APEX5, like Page Designer, Modal Pages, Syntax Highlighter etc.





Then there was plenty of pizza (and more socialising).





And then I went over the smaller - but nevertheless cool - features of APEX5 (as described in earlier blogposts).

Alas I had to leave after my presentation - looking at an almost 3 hour drive back home. But I know that the last 20 minutes or so where filled with two "Open Mic Night"-style demo's.
I think all attendees had a good time. I really like the concept: relaxed networking, some presentations - with a lot of interaction due to the smaller crowd - and pizza. 
The next ORCLAPEX-BE Meetup is already planned at November 19. Sign up here!

Wednesday, September 10, 2014

Your Kscope15 abstract is due today (or before Oct 15)!

It is still a long time before Kscope15. But if I look at the website .... I can hardly wait! 
A good conference needs a good time for preparation. An awesome conference .... needs even more time. So that's why we need your abstracts a.s.a.p. After the close every member of the review committee will go over every abstract and will give it a rating and a comment. When that's all done, the committee will have a number of (virtual) meetings to select the best abstracts and create the stunning program you expect from Kscope. And last but not least the schedule for the event has to be created where everything falls into it's place ... So we really do need some time after October 15!

But what are we looking for - and this only applies to the Oracle Application Express track as every track has it's own "wish list"...you can see that when you enter your abstract in the Sub Category field. We split it up into these six:
  1. Integration: We often see that it is not "just APEX" out there. As APEX is an open framework it can be integrated with a lot of different technologies: AngularJS, NodeJS, ORDS, MySQL, NoSQL, EBS, Sharepoint, Web services, etc, etc. This integration can be on the front end / browser side or on the back end / database side. It doesn't matter. If you have something to share where APEX is used in combination with any other technology or tool. This is your subcategory.
  2. New Release: With APEX5 lurking somewhere around the corner - and it is pretty save to assume it will be production at Kscope15 ;-) - it is time to share your ideas, thoughts, experiences with this New Release. Did you build your own Universal Theme? Please show it! Did you discover features that boosted your productivity? This is your chance to share it. So everything that's related to specific APEX 5.x features should go into this subcategory.
  3. Real World: How is APEX used within your company? By your clients? We want to hear stories from the real world. Maybe not cutting edge technology - but therefore even more valuable to the audience as they can use it immediately when they get home. Did you built a 3,000 page application? We want to hear about it! Did you built a 5 page application that is used by 10,000 people? We want to know that as well. And everything in between. 
  4. Detail Plunge: You might be familiar with the Deep Dive sessions at previous Kscope's. A specific subject covered to every little detail for two or three hours. For Kscope15 we came up with the idea of a Detail Plunge: similar but way shorter Just grab your most favourite small piece of APEX and tell us all about it! Do you know everything about Interactive Reports? This is your chance to share that knowledge. Totally enthusiastic about web services or XML? Come up and tell! So it isn't a broad subject, but it should be deep ... 
  5. Other: For everything that doesn't fall into one of the other categories. That doesn't mean it isn't worthwhile. Absolutely not! That just might mean we missed a very good subject... So don't hesitate to categorise your abstract as such.
  6. Hands on: There's always place for a good Hands On session. Ideas are more than welcome.
So you should submit your abstract soon .... but certainly before October 15. This is the absolute deadline. No negations possible. No exceptions ... You only have to be an ODTUG member to submit. That can be either a full member for $99,- or an associate member for ... free. But hey, it's just $99,- a year - and for that small amount you get access an awful lot of content on the ODTUG site - and there are other advantages as well, check out the ODTUG web site.

You can submit here
See you in Hollywood, Florida!

Tuesday, September 09, 2014

First ORCLAPEX-NL Meetup !

Earlier this year Dan McGhan - inspired by local JavaScript meetups - started the first Oracle APEX Meetup. Since then it has gone viral. As you can see on ApexMeetups the meetups are more or less global nowadays!
And even in The Netherlands we will officially join this virtual group and have our first ORCLAPEX Meetup on Thursday September 18. The location is central and well known: The Dutch Oracle HQ alongside the A2 highway. Thanks Oracle for providing the accommodation!
From 6PM onwards you can come in and join the group with a slice of pizza and a soda. As usual with these meetups, the structure of the meeting is more or less free format. The most important goal is to meet and greet fellow APEX Developers. We will have one or two (short) presentations: One about the concept of these Meetups - to set everyone's expectations - some and one about using Angular JS for mobile APEX development. If you want to share your experiences, questions knowledge etc : this is the place to be!
Seating is limited - and pizza as well - so you have to register at ORCLAPEX-NL Meetup a.s.a.p.. Please use your full name as we need it for getting you into the building ;-)
Hope to see you there!

Monday, September 08, 2014

10 New APEX 5 Features

The last two weeks I wrote a daily blogpost about a new feature in APEX 5. And intentionally I didn't cover the "big" features, like the new Page Designer, the Modal Pages, the Universal Theme etc as these probably are - or will be - covered by other people. So in my 10 blogposts I covered "Ten Tiny Things" ... 
For those who missed it - all or parts of it - herewith a list of subjects with the links:
I hope you liked it!

Friday, September 05, 2014

APEX 5 New Static File Features

In APEX 4 you could upload files - like CSS files, JavaScript files, Images and whatever else you like - into the APEX Repository. When you navigate to Shared Components, there is a Files section that offers three different options:
CSS Files are always uploaded (and changed !) for the whole Workspace. For Images and Static Files (usually JavaScript) you could choose whether they should be available for the whole Workspace or for a specific Application only.
And if you had a lot of files - e.g. a lot of images - then you had to go through the upload process one-by-one. But that's usually a one time only thing. If you make changes to the CSS and JavaScript files - and that's a continuous process in development - then you had to delete the existing file and upload the new one. Over and over again. And meanwhile fighting the cache of the webserver and your browser. 
And another irritating issue: You couldn't use relative references in your CSS or JavaScript files as they just don't work as in a regular file system.
(Little side note here: Of course it is more convenient - and performant - to put those files on a web server and make the changes directly on the files. But alas, in some environments developers don't have access to the web server ....)

In APEX 5 .... this is all waaaay better and easier! First of all: There is no unnecessary distinction between file types. Just like pigs, all files are equal. There is only a logical distinction between Application and Workspace Files.
But wait. It gets even better. You don't have to upload all your files one-by-one anymore. You can just upload a zip file and upload that one. And the file will be unzipped into the different original files.
And if your zip file contains directories .... those directories are created in the APEX Repository as well. So now you CAN have relative references in your JavaScript files - as you can see in the screenshot below showing a set of uploaded Cordova files!  
And immediately you'll notice another handy addition: You can see how you can reference that file as well! And when you use a reference like #APP_IMAGES#database.png this will  be translated on runtime to something like roel/r/11788/files/static/v13/database.png. And that doesn't look like a procedure call anymore (wwv_flow_file_mgr.get_file....) but more like a path reference to a file.

And one more thing ....
You probably noticed the "v13" in the URL to that image. And this might be even the coolest part ... If you change a file and upload it with the same name - so no need to delete it first! - the reference will be automagically updated and points to your new file. Instead of "v13" it'll be using "v17" or similar. So you never experience caching issues as this is seen by the web server and your browser as a new file!

And as a bonus you can also select all the files from the APEX repository and download it as one zip file ...

Thursday, September 04, 2014

APEX 5 New Package Features

To get a proper list of the new packages and API's APEX 5 provides us, we have to wait for the documentation of course. But if you're impatient and want to now more, you can get a list of all package procedures and functions by running this SQL on the APEX 5 Early Adopter instance:


select distinct s.synonym_name, p.procedure_name
from all_procedures p join all_synonyms s on p.object_name = s.table_name
where p.owner like 'APEX%'
  and s.synonym_name like 'APEX%'
order by 1, 2;

You'll get a list of over 700 procedures/functions. Most should look familiar. But there are some new kids on the block like : APEX_JSON, APEX_SPATIAL and APEX_ZIP.
You can examine the ALL_SOURCE view to get more insight by looking at the parameters and the examples in the comments.

The APEX_ZIP package is - according to the comments in the package - based on the work of Anton Scheffer (see this blog post). The functions / procedures can be used to zip and upload a file or to download and unzip a file. 

The APEX_SPATIAL package enables you to use the Oracle Locator and Spatial Option within APEX. I am not sure whether one of the functions in that package actually require a Spatial Option license - and if you can easily violate the (absence of that) license by calling such a function "by accident". Maybe one of the Oracle people can shine a light on this - always tricky - subject!

The APEX_JSON package finally, is used for generating and parsing JSON with PL/SQL. As an example - more or less "borrowed" from Morten Braten's post

Generating JSON
begin
   apex_json.initialize_output(p_http_header => false);
   apex_json.open_object();
   apex_json.write('Item1','value1');
   apex_json.open_array('Attributes');
   apex_json.open_object();
   for i in 1..3 loop
     apex_json.write('Attr'||i, i);
   end loop;
   apex_json.close_object();
   apex_json.close_array();
   apex_json.write('ExtraData','More to come');
   apex_json.close_all();
end;

results in :

{ "Item1":"value1" 
,"Attributes":[ { "Attr1":1 ,"Attr2":2 ,"Attr3":3 } ] 
,"ExtraData":"More to come" }

Parsing JSON
declare
   l_json varchar2(32767) := '{"empno":123, "empname":"King", "empsal":3000}';
begin
   apex_json.parse( l_json );
   htp.prn( apex_json.get_number( p_path => 'empno' ));
   htp.prn( apex_json.get_varchar2( p_path => 'empname' ));
end;


Results in : 123 King

This feature can be very handy when you want to generate JSON as a source for one of the many Javascript charting libraries that usually need data in this format. Or - the other way around - when a call to an ORDS Web Service returns JSON and you need to display the results somewhere on a page.

Wednesday, September 03, 2014

APEX 5 New Authorization Evaluation Point Features

In APEX 4 you can define Authorization Schemes. This is a very useful feature to prevent code repetition all over the place. For instance and Authorization Scheme "Is Admin" might use a select on one or more tables (or web service calls or whatever is necessary) to determine whether a user, the :APP_USER, has an Admin role or not. And you can use any value in session state, like :APP_ID or :APP_PAGE_ID in your query (or function call). The result of this call is usually pretty static. So you could specify when the code should be evaluated: Once per Page View or Once per Session. The latter is obviously more efficient as it will run only once from login to logout.
This works fine. Until you want to build your own fine-grained access control mechanism. As an example: If you have a page with three buttons on it, you can define an Authorization Scheme for this buttons and use that. So all three buttons use the same Authorization Scheme and are all visible on the page or not. As the Authorization Scheme will be evaluated once and only once for that Page. And if you need more fine grained controle you had to define three different Authorization Schemes, one for each button. And that will grow into a maintenance nightmare.

In APEX 5 this will be resolved. Next to the "old" options you can now specify an evaluation "Once per Component" and "Always".
"Once per Component" means the code is evaluated once per component for the duration of the session. So using this setting you can (re)use the same Authorization Scheme for the three buttons - as it will be evaluated three times. To make it even more useful : They also included three new bind variables (:APP_COMPONENT_TYPE, :APP_COMPONENT_ID and :APP_COMPONENT_NAME) that you can use in your query. So using these new bind vars (or one of them) you can create functionality that supports things like DYI fine grained access control - where a privileged user can grant or revoke access to certain elements on a page! 

Tuesday, September 02, 2014

APEX 5 New Substitution Syntax Features


You've probably all heard about XSS, a.k.a. Cross Site Scripting. One of the ways you make yourself vulnerable to XSS is by creating JavaScript in your APEX applications that accepts unescaped user input - either direct or data retrieved from the database.
As a - very stupid and simple - example, create a Page with a Text Item (say P3_TEXT).  Next create a Dynamic Action that executes this snippet of Javascript on Page Load :

alert("You entered &P3_TEXT.")

When you now enter some text like "Hello world" and submit the page, the response is an alert box with "You entered Hello world". But now enter something like:

the dark world");window.open("http://www.google.com

This looks like half a piece of code - and in fact it is. It is completed by the (other) Javascript snippet that's using this snippet as input. Now you get an alert saying "You entered the dark world" and an extra window is opened showing the Google search page. That's quite harmless, but you can invoke any JavaScript - also loading additional data and scripts from other servers etc... So you have to protect your application for this kind of hack. And of course there are many ways to do so, like escaping the value in JavaScript. 

But in APEX 5 you've got a new and simple option: Use the Extended Substitution Syntax. So instead of &P3_TEXT. , you should use &P3_TEXT!JS. So including the ampersand the exclamation mark and the dot at the end... Now the input text is properly escaped - and harmless ;-). Just like a call to the apex_escape.js_literal function would do.

There are more variants on this "Extended Substitution Syntax" theme: 
&P3_TEXT!HTML. => escape all HTML, like the apex_escape.html function
&P3_TEXT!ATTR. => escape all HTML attribute values, like the apex_escape.html_attribute function
&P3_TEXT!RAW. => Don't escape (so dangerous....) 
 
So in APEX 5 you've got even more possibilities to make your application secure - and less excuses ;-)

 

Monday, September 01, 2014

APEX 5 New Runtime API Lockdown Features

In APEX 4.x the developer could implement a feature that involves a call to the APEX API. E.g. you could create new pages on the fly if you would like to (just examine an export file for the how-to). You could drop an application using a procedure from the APEX_INSTANCE_ADMIN package. You could drop a user using APEX_UTIL.REMOVE_USER. If this is all on purpose and secured than that's fine. But maybe you created some opportunities for SQL Injection ... and someone else could use that technique to call those very same procedures. So the bad guy (or girl) could drop your application - or maybe even worse : could create a user and give himself full access to everything!
Of course you should prevent that from happening by fixing the SQL Injection holes. But next to that: You can prevent that your application uses those API's at all! And in APEX 5 that's even the default setting. So you're safe by default ;-)

But assume you really need access to those API's, there is an Application Level Security setting you can set.
So you can switch on access to API's that make changes to Applications or the Workspace. The only thing is - you have to figure out yourself what setting you should enable...
So what happens if your application has the option of creating a user on the fly - and thus calling APEX_UTIL.CREATE_USER - and you didn't switch the "Modify Workspace Repository" ?
Then you (or your user) gets this "nice" error page:
This sounds rather cryptic - and it is - but actually there is an entry in the Debug Messages with that ID. Even when you're not running in debug mode!
And this entry is:
But of course it is better to catch these errors (and all other ones as well) via an Error Handling Function. That way you can get an email when something like this happens and fix it - or be warned that some bad things are happening ....

But it's a nice additional security feature!