Tuesday, May 5, 2020

Importance of PREPARE_URL for redirecting in oracle apex

An application which developed by Oracle Apex, is a web application with bunch of pages for presenting data and for communicating with oracle database server. Within this application an end-user travels one page to another page.

When an end-user redirects one page to another, we must have to make it secure as we prevent unwanted DML request. PREPARE_URL function of APEX_UTIL package helps to make secure redirecting when we pass value from page item of one page to page item of another page.

Firstly we have to understand how oracle apex URL construct. See the example before 20.1
f?p=App:Page:Session:Request:Debug:ClearCache:itemNames:itemValues:PrinterFriendly
After launching friendly URL from 20.1, URL looks like.
https://apex.oracle.com/pls/apex/zigzag/r/apex-recipe/home?session=714253588663910
The construction of URL is still same, it just changes appearance.

If we want to communicate with database server from any page of our application then we have to set page access protection "Arguments Must Have Checksum" from page properties.

What checksum does?
Checksum make our actual redirecting value to &cs=<large hex value>. to restrict user from changing actual value of URL. 

Have a look at the messages about page access protection from oracle apex.

Unrestricted

The page may be requested using a URL, with or without session state arguments, and without having to have a checksum.
Arguments Must Have Checksum
If Request, Clear Cache, or Name/Value Pair arguments appear in the URL, a checksum must also be provided.
The checksum type must be compatible with the most stringent Session State Protection attribute of all the items passed as arguments.
No Arguments Supported
A URL may be used to request the page, but the URL can not contain Request, Clear Cache, or Name/Value Pair arguments.
No URL Access
The page may not be accessed using a URL.
However, the page may be the target of a Branch to Page branch type, as this does not perform a URL redirect.

Let's hear a good news. All the default redirecting scopes from oracle apex provide checksum redirecting. So, LINK or branching or redirecting from attributes are safe to use. But when we make a URL manually to redirect we must have to be cautious.

In the end, use APEX_UTL.PREPARE_URL to redirect with valid 'SESSION' level arguments.
DECLARE
    l_url varchar2(2000);
    l_app number := v('APP_ID');
    l_session number := v('APP_SESSION');
BEGIN
    l_url := APEX_UTIL.PREPARE_URL(
        p_url => 'f?p=' || l_app || ':10:'||l_session||'::NO::P10_ITEM:ABC',
        p_checksum_type => 'SESSION');
END;
You can use APEX_UTL.PREPARE_URL within anchor tag (<a> tag) like,
<a href="'|| APEX_UTIL.PREPARE_URL(
   p_url => 'f?p=' || V('APP_ID') || ':27:'|| V('APP_SESSION') ||'::NO::P27_GUEST_ID:'|| ID ||'',
   p_checksum_type => 'SESSION')||'">
Link Text</a>
And if your user is public user and page is public page then use this code.
APEX_UTIL.PREPARE_URL(p_url => 'f?p=' || :APP_ID || ':10:'|| :APP_SESSION
||'::NO::P10_ITEM:ABC');

Think it helps you. Good luck.

on
Labels:

1 comment:

Subscribe to: Post Comments (Atom)