Friday, September 05, 2008

A new book on APEX coming out...

There is a new APEX book coming out soon - I wrote a foreword for it.  There has been some discussion of it on asktom - and I thought I'd publish the foreword here:

I consider myself a pragmatic person – one that uses the right tools for a job, one that employs the most straightforward and easy way to accomplish a task.  To that end, I’ve been a great supporter and fan of Oracle’s Application Express (APEX) from before the day it was introduced.  I say “before the day” because I’ve had the honor and pleasure of using APEX long before it was released to the public at large – my website,, is one of the first websites ever built with the software that was to become known as APEX.

APEX is one of the most pragmatic database development tools I know of.  It does one thing and one thing well – it rapidly implements fully functional database applications – applications that are used to predominantly access, display and modify information stored in the database (you know, the important applications out there).  It facilitates using the database and it’s feature set to the fullest – allowing you to implement some rather complex applications, with as little work (code) as possible.  It is possible to build extremely scalable applications with a huge user base ( for example is built with APEX).  It is possible to build extremely functional applications, with seriously powerful user interfaces (APEX itself is written in APEX, proof of this).  It is easy to build applications rapidly, the current version of was developed in a matter of days by two developers – in their spare time, it was not a full time job.

While it all sounds wonderful and easy so far, APEX is a rather sophisticated tool with many bits of functionality and a large degree of control over how the generated application will look and feel.  To fully utilize the power of APEX – one needs to have a guide, a mentor show them how to do so; very much akin to what I do with people regarding the Oracle database.

This book – Oracle Application Express – is that guide, the authors – Scott Spendolini and John Scott – are those mentors.  The book walks you through the steps you need to understand after you’ve installed and started using APEX, to go beyond the sample applications.  Covering diverse topics such as “Using the database features to full advantage” (one of my favorite topics) to “SQL Injection Attacks” – what they are and how to avoid them in APEX – to “Printing”; you’ll find many real world issues you will be faced with explained, demystified and solved in this book.

For example, Chapter 5 “Data Security” covers a wide breadth of topics regarding securing your database application.  There is a section on URL injection issues – what they are, how they are exploited, why you care about them and finally how to protect yourself from them.  There is a section on Session State Protection – following the same format –what it is, how it is exploited, why you care and finally how to protect yourself.  The same mentoring occurs with data level access where the authors introduce how to use Virtual Private Database, a core database feature – not really an APEX feature, to protect your data from unauthorized access.  Lastly, a critical application feature – Auditing – is discussed in depth using the “what it is, why it is, why you care and then how to do it” approach.  Whilst some of the content in this chapter is not specific to APEX, it is needed to give you a holistic view to building database applications – which is what this book is about.

This book covers not just the nitty gritty details of building a secure application, it covers all you need to build database applications with APEX.  When they are done with security, the authors move onto other necessary topics such as how to perform screen layout and application screen navigation, how to integrate reports and charts, how to integrate web services – enabling you to perform application integration – in an APEX environment, and much more.

If you are an APEX developer just starting out, or an APEX developer with experience under their belt but want to learn more about the environment you are using – this book is for you.  It describes from start to finish how to build a secure, functional, scalable application using the APEX application development environment.

Thomas Kyte



Blogger Crisatunity said....

I will definitely check it out! I've enjoyed the OWA Toolkit since the years and years. APEX was a great evolution.

I do love APEX for what it does well as much as I love ASP.NET for what it does well. I've even combined the two when APEX was a faster solution for rich-CRUD sort of stuff. APEX only gets frustrating when you try to take it to a level of complexity it isn't very good at.

Fri Sep 05, 11:07:00 AM EDT  

Blogger Mathias said....

I've been looking forward to this book since 1/21/2007. While the seemingly never ending changes to publication date has been frustrating, this is still a book I look forward to get my hands on. Few books would still be in ordered status if I had to wait more than a year past it's original publication date, but I cannot wait to read this book.

Fri Sep 05, 11:42:00 AM EDT  

Anonymous Anonymous said....


I know you have a say in it so please pass this word to APEX development:

Please remove Session IDs from the URLs. It renders APEX unusable for the external sites that rely on SEO to stay competitive and to drive more traffic via the search engines.

There's no way to implement MOD_REWRITE rules with APEX session IDs stored in the URL. Session IDs do not belong in the URL they belong in a session cookie.

Thank you.

Fri Sep 05, 02:27:00 PM EDT  

Anonymous Anonymous said....

@previous anonymous:

Fri Sep 05, 03:31:00 PM EDT  

Anonymous John Scott said....


Thank you for the plug and thanks again for the foreword.

To the anonymous person -

>Please remove Session IDs from the URLs. I

Take a look at the blog post I made about the topic here -

the Apex 3.1.2 patch fixes the session 0 redirect issue (I go into much more detail in the post and didn't want to reproduce it here).


Fri Sep 05, 03:54:00 PM EDT  

Blogger Thomas Kyte said....

who would like to guess who pushed "session zero" really hard :)

I really needed to be able to have bookmarks on any page work....

I was the first "session zero" application....

Fri Sep 05, 04:07:00 PM EDT  

Anonymous Anonymous said....

I knew that you could ZERO out the SESSION_ID and it will be carried from page to page in a COOKIE instead. But what I observed when I tested APEX in JAN-2008, was that, zeroing out SESSION_ID only worked for Public pages that did not require username/password protection. As soon as you signed-in -- the session was put back into the URL.

Is it still the case with the latest version of APEX?

Fri Sep 05, 06:50:00 PM EDT  

Anonymous Anonymous said....

But is it really coming out this time. I'm starting to feel like Charlie Brown with Lucy yanking the football away every time I try to kick it.

On the plus side, I the Data Security chapter will make the whole book worthwhile for me.

Sat Sep 06, 12:34:00 AM EDT  

Anonymous Jimbo said....

How does session zero help move a page up google's ranking? I posted a similar question on the blog mentioned above but it got deleted, which suggests to me there is no answer. I'm not flaming, I just don't see how it helps. If I copy a url from an ApEx website and paste it into my own blog as "host/dad/f?p=APP:PAGE:SESSION" then the url is unique. Where does session-zero come in to it?

If the session is in the url then ApEx sites may as well be invisible.

Sat Sep 06, 10:21:00 AM EDT  

Anonymous John Scott said....


Your post on my blog did not get deleted, it was the weekend and I did not approve your post until I got a chance to catch up with mails etc (remember I'm not glued to my laptop keyboard, despite evidence to the contrary).


Mon Sep 08, 03:19:00 AM EDT  

Blogger Byte64 said....

nice discussion, although it started as a book recommendation!

In reply to Jimbo, let me explain why session zero (theoretically) should solve (or help to) the google ranking problem.

The problem here is not in the session number itself, it's in the fact that session numbers expire after some time (less than 2 weeks). When the session expires, it means that the URL stored in Google index, will no longer work as it is, but will be redirected to a new URL containing a fresh session number. So you start with a number and you end up with two, because the original number will linger in Google index for quite some time, but also the new one is entered in the index.

Also, imagine to iterate this process over weeks, months and years (as i did for instance). Luckily there must be some mechanism in Google that limits the pages returning the same content, which explains because the URL are not increasing exponentially in virtue of this process, although after a while you can experience a dramatic increase in the number of page visits by the google crawler, which can also adversely impact bandwidth usage and site responsiveness.

Now, if the URL keeps changing, the Google rank is adversely affected because is seen as a "new" page. Even external links do not contribute as they could because they are never pointing to a stable address.

If the google rank is low, as you know, your page will be listed after pages with higher rank.

At this point it should be clear why a never-expiring session zero would be beneficial. Unfortunately until now session zero implementation was crippled by unnecessary http redirects.
This made session zero almost useless, because in many cases the Google crawler gave up the page retrieval indicating "too many http 302". This phenomenon was really easy to be ascertained if one signed up to the Google Analytics program (as i did...) where you get reports for each and every URL of the website.
Imagine you have a site with thousands of pages and only a dozen of them are crawled because the crawler is stopped by http 302! It's really frustrating, believe me.

So, i am eager to see apex 3.1.2 in production (thanks John!) and take advantage of the new session zero mechanism.

Last but not least, you must ensure that the public pages of your application correctly preserve session zero otherwise you may end up with links poiting to URL with non-zero sessions. This was especially true for session substitutions at the page template level.


Mon Sep 08, 03:55:00 AM EDT  

Anonymous Jimbo said....

Apologies John, my comment was visible on your blog after I posted it but when I came back later in the day (yes, I was glued to the laptop all weekend!) it had gone. Perhaps, ironically, it was only there for my session.

Flavio, I didn't appreciate there was an issue with google storing and recrawling dead links but I did get the problem with external links which include dead sessions. With session-zero will the session id always be zero in the url? Tom says he was the first session-zero app but there is still a session in the url on When searching google for posts on it often gives the message "we have omitted some entries very similar to the n already displayed". These entries turn out to be links to the same threads as in the main search, but where the link is to a specific post with the thread - it is the same page but a different url and even though the host and content are the same, google doesn't consider the 2 different links to be pointing at the same page. I'm still not sure that session-zero addresses this issue.

Mon Sep 08, 11:33:00 AM EDT  

Anonymous Michal Pravda said....


Talking about books.... I bought your Expert Oracle Database Architecture some time ago and the book states that sequel called Expert Oracle Programming "is coming" in June 06.

Delayed or cancelled?

Wed Sep 10, 05:03:00 AM EDT  

Blogger Thomas Kyte said....

about book: delayed indefinitely...

Wed Sep 10, 06:28:00 AM EDT  

Anonymous Pedro M. Guerra said....


«about book: delayed indefinitely...»

Too bad to be true...

Wed Sep 10, 09:23:00 AM EDT  

Blogger Stew said....

My copy arrived last Thursday (9/18). I just haven't had a chance to look at more than the table of contents because I'm stuck doing non-APEX work. [sigh]

Tue Sep 23, 02:22:00 PM EDT  

Anonymous Dave said....

Ooops. I posted this on the main blog before seeing this topic. Sorry.

Hi Tom. I started learning APEX on my own. There aren't a lot of books out there. I purchased one called Pro Oracle Application Express. I was a bit hesitant not recognizing the authors, but after reading the Foreword(by you), felt more comfortable. I've read the first two chapters and I really like the insight that is given that I haven't found elsewhere.

Tue Sep 23, 04:58:00 PM EDT  

Blogger Mathias said....


As you may have realized now, the authors are far from unknown. They are very well known in the APEX community and equally well respected for their knowledge and willingness to share that knowledge. I don't know anyone else I'd have wanted to write an advanced book on APEX development instead of John Scott. This has been a very anticipated book because of who wrote it.

Tue Sep 23, 11:55:00 PM EDT  

Anonymous Anonymous said....

On Amazon (.co & "Professional" is spelled "Proffesional" in the book's description. Can't see any way of notifying via Amazon, so doing it here.

Thu Oct 02, 12:54:00 AM EDT  

Blogger Andrew from SGNZ said....

Tom, I'm very interested in doing a mock project in APEX to learn its capabilities. Before I start I'd like to ask for your honest opinion - have you come across any missing features for small to medium sized web (CRUD/search/reports) apps? Any particular roadblocks that a developer may hit?

At any rate, I miss the good ole days of being able to develop simple, throwaway apps very quickly in MS Access / FoxPro... Even now, after 10+ years of so-called advances in web technologies, Java/.Net productivity is still comparably low. And I don't buy that business users have to have rich-clients - cheap and working solutions are the way to go.

Tue Oct 07, 06:20:00 AM EDT  


<< Home