Creating An Application: Download App
Creating An Application: Download App
database. This tutorial illustrates how to create a form and report with links for file upload and
download, how to create and populate a table to store additional attributes about the documents,
and finally how to create the mechanism to download the document in your custom table.
Creating an Application
Creating an Upload Form
Creating a Report with Download Links
Storing Additional Attributes About the Document
Storing the Document in a Custom Table
Downloading Documents from the Custom Table
Security Issues to Consider
For additional examples on this topic, please visit the following Oracle by Examples (OBEs):
http://www.oracle.com/technology/obe/apex/apex31nf/apex31blob.htm
Creating an Application
First, create a new application using the Create Application Wizard with the assumption you will include an
upload form on page 1.
2. Click Create.
3. Select Create Application and then click Next.
4. For Name, specify the following:
a. For Name, enter Download App.
b. Accept the remaining defaults and click Next.
5. Add a blank page:
a. Under Select Page Type, select Blank and click Add Page.
The new page appears in the Create Application list at the top of the page.
b. Click Next.
6. For Tabs, accept the default, One Level of Tabs, and click Next.
7. For Copy Shared Components from Another Application, accept the default, No, and click Next.
8. For Attributes, accept the defaults for Authentication Scheme, Language, and User Language
Preference Derived From and click Next.
9. For User Interface, select Theme 2 and then click Next.
10. Review your selections and click Create.
The Application home page appears.
3. For Region:
a. Identify the type of region to add to this page - Accept the default, HTML, and click Next.
b. Select the type of HTML region container you wish to create - Accept the default, HTML, and
click Next.
4. For Display Attributes:
a. Title - Enter Submit File.
b. Accept the remaining defaults and click Next.
5. Accept the remaining defaults and click Create Region.
1. Under Items on the Page Definition for page 1, click the Create icon.
2. For Item Type, select File Browse and then click Next.
3. For Display Position and Name:
a. Item Name - Enter P1_FILE_NAME.
b. For Sequence, accept the default.
c. For Region, select Submit File.
d. Click Next.
4. Accept the remaining defaults and click Next.
5. Click Create Item.
Create a Button
Next, you need to create a button to submit the file.
To create a button:
This selection causes the page to call itself on submit rather than navigate to another page.
9. If prompted to enter a user name and password, enter your workspace user name and password and
click Login. See "About Application Authentication".
When you run the page, it should look similar to Figure 9-3.
1. Click Edit Page 1 on the Developer toolbar at the bottom of the page.
Your report should resemble Figure 9-4. Note that your display may differ slightly depending on what files
you have uploaded.
The Report Attributes page appears. You can add a link to the ID column by editing Column
Attributes.
3. Under Column Attributes, click the Edit icon in the ID row.
4. Scroll down to Column Link.
5. Under Column Link:
a. Link Text - Select #ID#.
b. Target - Select URL.
c. In the URL field, enter the following:
d. p?n=#ID#
#ID# parses the value contained in the column where ID is the column alias.
When you run the page, it should look similar to Figure 9-6.
9. Click Edit Page 1 on the Developer toolbar to return to the Page Definition.
Storing Additional Attributes About the
Document
Next, you create another table to store additional information about the documents that are uploaded. In this
exercise, you:
See Also:
"Using SQL Commands" in Oracle Database Application Express User's Guide
1. Go to SQL Commands:
a. Click the Home breadcrumb link at the top of the page as shown in Figure 9-7.
b. On the Workspace home page, click SQL Workshop and then SQL Commands.
5. subject VARCHAR2(4000));
6. Click Run.
To create a process:
e. Click Next.
8. For Process Conditions:
a. When Button Pressed - Select SUBMIT.
b. Accept the remaining defaults and click Create Process.
As shown in Figure 9-8, the Uploaded Files report now contains a Subject column.
10. Click Edit Page 1 on the Developer toolbar to return to the Page Definition.
1. Go to SQL Commands:
a. Click the Home breadcrumb link at the top of the page.
b. On the Workspace home page, click SQL Workshop and then SQL Commands.
4. Click Run.
The message Table Altered appears.
9. SELECT ID,:P1_FILE_NAME,:P1_SUBJECT,blob_content,mime_type
1. Go to SQL Commands:
a. Click the Home breadcrumb link at the top of the page.
b. On the Workspace home page, click SQL Workshop and then SQL Commands.
4. v_mime VARCHAR2(48);
5. v_length NUMBER;
6. v_file_name VARCHAR2(2000);
7. Lob_loc BLOB;
8. BEGIN
13. --
15. --
19. owa_util.mime_header(
nvl(v_mime,'application/octet'), FALSE );
20.
21. -- set the size so the browser knows how much to
download
26. owa_util.http_header_close;
30. /
32. Click the SQL Workshop breadcrumb link and then click SQL Commands.
33. In the top section, replace the existing SQL statement with the following:
34. GRANT EXECUTE ON download_my_file TO PUBLIC/
36. Click the Home breadcrumb link at the top of the page to return to the Workspace home page.
Note:
If you are using Application Express in Database 11g, instead of calling the PL/SQL procedure as
described in this section, please follow the steps outlined in the following section Create Download
Page for Embedded PL/SQL Gateway.
In this URL:
To avoid this situation, there are a couple of available options. The first option is to modify the PL/SQL
function WWV_FLOW_EPG_INCLUDE_MOD_LOCAL to include the PL/SQL download_my_file procedure
and then recompile. The second, described below, is to create a page in the application that has a before header
branch to the PL/SQL download_my_file procedure. You then create a hidden item on that page for the
document ID of the document to be downloaded.
To accomplish the second option you need to:
Create a page with a before header branch to the PL/SQL procedure download_my_file
Change the download link to use the new page to display the file
To create a page with a before header branch to the PL/SQL procedure download_my_file:
The Page Definition for page 2 appears. A confirmation message displays at the top of the page:
Region created.
12. Under Items on the Page Definition for page 2, click Create icon.
13. For Item Type, select Hidden and then click Next.
14. For Hidden Item Type, select Hidden and Protected and then click Next.
15. For Item Name, enter P2_DOC_ID and then click Next.
16. For Source, accept all defaults and then click Create Item.
To invoke your procedure, a user can click the links you provide, or a user can enter similar URLs in the Web
browser's Address (or Location) field. Be aware that a curious or malicious user could experiment with
your download_my_file procedure, passing in any file ID as the p_file argument. A hacker could
determine what file IDs exist in your table by legitimate or illicit means. Worse yet, in a mechanized attack, a
hacker could submit successive IDs until an ID matches a file in your table at which time your procedure
would download the file to the hacker.
The measures you take to protect your data from unauthorized access depend upon:
Your assessment of the degree of harm that would result if a hacker were able to download a file.
The likelihood of such an attack balanced against the cost and difficulty of providing controls.
One technique you can use to protect an application is to call one of the Oracle Application Express security
APIs from within the procedure in order to ensure that the user has already been authenticated. For example,
you could include a block of code into the procedure so that it runs first. Consider the following example:
--
APEX_APPLICATION.G_FLOW_ID := 100;
IF NOT wwv_flow_custom_auth_std.is_session_valid then
--
--
--
--
--
RETURN;
END IF;