It has a web-based integrated development environment (IDE) that includes tools such as wizards, drag-and-drop layout builders, and property editors.

While building an internal web calendar, Hichwa collaborated with fellow Oracle employee Joel Kallman to develop Flows.

Early builds of Flows had no front-end, so all changes to an application were made in SQL Plus via insert, update and delete commands.

[11] SQL Injection APEX applications inherently use PL/SQL constructs as the base server-side language and access data via PL/SQL blocks.

Because of this, APEX applications can suffer from an SQL injection when these PL/SQL blocks do not correctly validate and handle malicious user input.

Escaping special characters and using bind variables can reduce, but not remove, XSS and SQL injection vulnerabilities.

To counteract this, Oracle provides the htf.escape_sc() function to replace literal characters with HTML entity names and avoid undesired behaviors.

Oracle claims that applying the latest APEX patches ensures that the external libraries bundled with the platform are updated in tandem, which theoretically enhances application stability and security.