Everybody is already convinced about the strength and benefits of AJAX. There is only one thing that keeps bothering me when I’m using AJAX within Apex. For every AJAX call, you have to define a new application process.
b) Create an application item with the name AJAX_PROCEDURE
Remark:
Instead of writing your PL/SQL code for the AJAX call in the application process, you have to write it on the database as a procedure (or a package procedure) Ex: pck$ajax_examples.prc$first_example
Step 2: Javascipt
Now we can put (by using javascript) the name of this procedure in the application item AJAX_PROCEDURE. The execute-immediate will execute the pck$ajax_examples.prc$first_example procedure.
I have written some javascript functions that simplify the use of AJAX:
Now implementing an AJAX call becomes as easy as this…
The ajaxResult variable will contain the result of your AJAX call!
This method is only recommended in an inTRAnet environment because your database is open to SQL Injections. You can also build in extra security, for example by checking your AJAX call againt a database table to make sure the call is permitted.
In a next blog I will explain how you also can generalise the passing of params to the Ajax call.
Hi Niels,Very nice write up, however just be aware that passing through the code you want to execute via the JavaScript function could potentially open up a very big security hole in your application.So, unless you *really* trust your end users, you might want to add some ‘sanity checking’ to the code to stop people executing arbitrary procedures (i.e. they could modify the JavaScript themselves and have it execute any code they like on the server).John.
Hi Niels,you should reconsider that code, because that introduced into your application/database a huge SQL injection door.Consider that your application schema is often a high privileged user, sometimes even with DBA privileges. All your APEX code is executed with the privileges of your application schema/user. So basically you can do everything with that user.I just have to do an AJAX call withEXECUTE IMMEDIATE ”CREATE USER ABC IDENTIFIED BY xxx;” as string and another one where I grant DBA privileges and I have my own user in your database…Patrick
Hi!I think this is some kind of proof of concept, but this implementation leaves your database wide open to sql injection attacks. You should make sure that the possible procedure calls are limited, e.g. by checking the argument against a table.
Hi,Thanks for this interesting information concerning SQL Injection. For this reason we only use this ‘method’ in an inTRAnet environment. I will mention this security risk in the blog itself. It may indeed be a good idea to check all AJAX calls against a database table to make sure the call is permitted.