Tuesday, March 27, 2007

Somebody to get you introduced

A friend sent me this link. Have a look at that video, it's unbelievable!!

I really would like to hire him to begin our Apex Evangelists training days!
When somebody like that introduces us... oh boy, I'm sure you won't forget our trainings ;-)

APEX getting famous

Last week, a new version of APEX came out.
A lot of us blogged about it (my blog-roll intercepted these):

Before, "the world" didn't care much about it, but today I get the impression that APEX is getting serious business! Following articles proof this statement:
Probably a lot more articles will follow!

Thursday, March 22, 2007

Adobe Flex and Oracle

A few weeks ago I tried to run the sample Adobe Flex application on an Oracle Application Server (Fusion Middleware) and an Oracle Database.

It's not that difficult to get it running. I got a hint of Marc M. which parameters I should use in the startup of my oc4j and from that moment it worked really nice.

You should start the oc4j as:

"%JAVA_HOME%\bin\java" %JVMARGS% -Xmx1024m -Doc4j.jmx.security.proxy.off=true -jar "%OC4J_JAR%" -userThreads %CMDARGS%

What did I use and why? (my configuration):

  1. Oracle Database 10gR2 - data
  2. Oracle Application Server 10g (stand-alone - 10.1.3.1) - hosting app and monitoring
  3. Adobe Flex Data Services - binding with data
  4. Adobe Flex Builder (with sample apps) - building Flex app
  5. JDeveloper (10.1.3.1) - deploying app

A screenshot to show you the proof ;-)

Friday, March 16, 2007

APEX 2.2.1 upgraded to 3.0 with success

As you can see below, the upgrade to APEX 3.0 on my local instance was successful.
It took me about 56 minutes to have the upgrade running.

(During the upgrade I received an ORA-00257 = problem with archiver - if you've the same error, look at Note:278308.1 in Metalink to solve it)

The first tests were successful... To get pdf printing working, a bit more is necessary, as BI Publisher or an XSL-FO server is necessary. You find the integration steps here.


The new version of APEX 3 on my local machine, exact version Application Express 3.0.0.00.20

The screen after installing APEX 3.0


Thanks APEX-Dev team! This new version is great!

APEX 3.0 out! Get it now!

I'm downloading APEX 3.0 at this very moment! You find the download here, it's about 75MB.

Also, the APEX OTN page is restyled!

Even before I finished my blog post, the download is finished ;-)
Now it's time to get it installed... I also saw that there's something specified about web 2.0.
In the next hours I'll post about the installation/upgrade to APEX 3.0 ;-)

Wednesday, March 14, 2007

Apex Evangelists goes live!

Today John Scott and myself are launching Apex Evangelists, we formed the idea for an Application Express services company during one of our many discussions at Oracle Openworld and over the last few months have honed our idea of what we are going to provide.


The idea behind Apex Evangelists is that we will use our knowledge and experience of Application Express to provide a range of services, some of which are listed here -

  • Application & Website Development (plus of course hosting)
  • Training & Coaching (onsite and in our European Training Days)
  • Application and Database Migrations
  • Support Services

Our primary goal is to be able to provide these services to the European market and to generally evangelise (hence the name!) about how beneficial using APEX can be to European companies. We also decided that in order to take on bigger projects than just two of us could handle and to also cover more of the European market we would also need to involve other great enthusiastic APEX developers, so we're pleased to announce that Dietmar Aust, Patrick Wolf, Denes Kubicek will be helping us in our quest.

These are very exciting times and I'm sure that there are busy times ahead!

APEX 3.0 public (online)

Well, as expected... APEX 3.0 is already on the public APEX site.
I'm sure the downloadable version will be available soon!


I suppose I don't need to say that APEX 3.0 is so, soooo great ;-)

Saturday, March 10, 2007

The history (I know) of APEX

During one of my chats with John Scott, the question popped up how long we were already playing with APEX. I began searching in my archives...

A short overview of how I got in touch with APEX (aka HTMLDB aka Project Marvel).

In 2000 (I was working at Oracle) I saw a demo of an application made in WEB DB. I didn't play that much with WEB DB, but some of my (ex-)Oracle colleagues really loved it. Nevertheless in some projects around that time I used mod_plsql...

A few years later I saw a powerpoint presentation of "Project Marvel". From the beginning I thought, "waaaw" this looks very good and promissing. I think it was around February 2003 I got more information about this project. I even found a screenshot in my archives from that time.


In September 2003 I first heard the name HTML DB. That was the first time I really played with it, I think it was v1.3. I still have a zip of version 1.4 ;-)
I think my first message about APEX (HTMLDB) in the OTN forum was on Oct 1, 2003 2:06 AM. Apparently at that time I was working with v1.4: http://forums.oracle.com/forums/thread.jspa?messageID=554340
Raj, at that time one of the HTMLDB developers, answered me!


The rest you know, as it was public: HTML DB v1.5 -> v1.6 -> v2 -> APEX.
I also found a pdf describing the history.

To show you the difference, a screenshot of the current APEX version
(but that you know, I suppose)

Friday, March 09, 2007

Document management in ApEx

A lot of people still think that ApEx is just a replacement of Excel or Access.
But come on! That's changed already for a long time. ApEx is a real development framework! The community already released a lot of applications and sample code. A lot of the people in the ApEx community are sharing their knowledge and experience...

Still not convinced? Have a look at the below application... It's a free application that you can download on the OTN site. The roll-over menu when you click on readme.txt is very nice, as is all the rest in there. This is just one example of what ApEx can do.

You can login as dg_docm/dg_docm (username/password)

Tuesday, March 06, 2007

Getting to know yourself

I'm currently looking into myself. I really want to know who I am and where I stand for.
The more and better you know yourself, the more and better you can be there for others.
Thanks to somebody I really appreciate I got in touch with Enneagrams.
This is a really nice theory about a person... It's nothing IT or Oracle related, but I thought to blog about it, as this can maybe help some others to find themselves.

An Enneagram looks like this:


Not sure if this is "well-known" in the world of IT and Consulting.

Saturday, March 03, 2007

SQL injection? No, Cursor injection

Just came across a paper called "Cursor Injection - A New Method for Exploiting PL/SQL Injection and Potential Defences" of David Litchfield.

It shows once more that writing proper code is important, as is getting your database to the right patch level.

--
Off topic: Carl Backstrom blogged about a music clip called "Code Monkey" here. You should see it, it's fantastic!
--

Friday, March 02, 2007

Doing a whitepaper? Begin early enough!

This will probably be my last night working on my whitepaper for Collaborate 07. I look forward to get a long night in the weekends!

This night I was not alone! My friend John Scott was also working on his presentation ;-) When you know you're not alone doing these things that need to be done, it's a bit easier. We also triggered each other once and a while. Thanks John to keep me alive!

It's my first whitepaper for a big event, so I thought I should blog about my experience doing that and also to warn the others not to make the same mistake.

I submitted my extract, that's easy... I had also my presentation in my "head" (I thought), so writing this whitepaper shouldn't take that long. That was a *big* mistake, or should I say a miscalculation. ;-)

I started with the concept of what I wanted to tell: ApEx Shared Components, what can they do? and why and how I used them in DG Tournament. A manual is great, but it doesn't show you that specific thing working in a real environment, so I wanted to cover that area.
Of course I love some screenshots, as an image says more then thousand words, so I made a lot of them and included it in the whitepaper.

When I was writing things down, I thought: "Will this be interesting enough for the public?", "Does all this get fit in an one hour presentation?" etc.

So, I asked John Scott and Doug Gault to have a look at the very first draft of the paper. They sent me some comments and tips how to improve (thanks guys).
That's something I learned from Tom Kyte, he told once that it's important to have good reviewers.
I realize now I should have asked more people to read my whitepaper or let them reread the current version. Well, next time I'll try to do better and think about what happened this week.

Finally my Tips & Hints when you want to do your first whitepaper:
  1. Prepare yourself
  2. Know what you want to write about
  3. Know what you want to tell to the audience
  4. Start early
  5. Let good people review your paper
  6. Adapt accordingly
  7. If time becomes an issue: get enough coffee ;-)

This is my advice so far, I wish I had followed all of that myself!
If you're having some other tips for me, don't hesitate to put a comment.

Thursday, March 01, 2007

Session State Protection and URL Tampering in ApEx

For the third night in a row I'm working on my whitepaper "APEX by Example: Shared Components" for the IOUG Collaborate 07 conference. I need to upload it tomorrow, so no time to loose! Nevertheless I wanted to blog about URL Tampering, which I was investigating when I came to "Session State Protection" in the Shared Components area of ApEx.

For the moment I described it like this in my whitepaper (comments to make it better are welcome):

Session State Protection

Enabling Session State Protection can prevent hackers from tampering with the URLs within your application. URL tampering can adversely affect program logic, session state contents, and information privacy.

In DG Tournament


Why?

For security reasons! URL Tampering - Web based applications, including those developed in Oracle Application Express often pass values from one page to another through a URL. A clever enough user may observe this and override a value by typing his own value in the location field of his browser. For example in DG Tournament, when logged in as Admin, I can see a list of all users. When I click on that user for his details I see the same screen as a normal user would see in the “Your Profile” page. The URL that’s doing that call looks like this:

f?p=103:10:240848379705417::NO::P10_USER_ID:70

My application is 103, on page 10 with session id 240848379705417 (my session has a unique nr) you see at the end: P10_USER_ID:70 which means that my record (Dimitri Gielis) is user_id 70. By putting this in the url, the session knows about this value.
When “Session State Protection” is disabled you can easily see another user by changing the url to

f?p=103:10:240848379705417::NO::P10_USER_ID:71

This will give me the record (user) with user_id 71, without passing through the application I can obtain other information.
When “Session State Protection” is enabled you get a message like on the above screenshot, which tells you that the session state protection is violated.

How?

  1. At the moment the Session State Protection is disabled.


  2. To enable, disable, or configure Session State Protection using a wizard, click Set Protection.


  3. Click the Enable Session State Protection button


  4. We can see that the Session State Protection is now Enabled


  5. By clicking on the Page button you get following screen


  6. Select the page you want to protect, in DG Tournament for ex. User Detail and change the Page Access Protection.You can also go onto Item level to set the protections.


  7. That will add to the end of the url a checksum. An example of the previous url, but protected:
    f?p=103:10:240848379705417::NO::P10_USER_ID:70&cs=3831E8EB498FF406064BE08337E72A9DF When you try to change the user_id from 70 to 71 you get a message that the session state protection is violated.