Steal the Show with ApEx

Steal the Show with ApEx

Oracle Open World, November 13, 2007

Bill HoltzmanNational Air Traffic Controllers Association

November 13, 2007 Steal the Show with ApEx 2

NATCA

National Air Traffic Controllers Association

15,000 members 400 locations Employees of the Federal

Aviation Administration


Grievance

A complaint against the employer by an employee or the union

Over 200,000 active grievances

Requirements akin to legal case


G.A.T.S.


Wizards


Graphical query builder


SQL report: Region Source


SQL report: Attributes


Automated report link


Manual report link: link||text

Manual link enables concatenation with plain text

<a href="f?p=104:8:10234501378364652310:::8: P8_DUP_GRID,P8_RETURN_PAGE,P8_ARTICLE: 5880,32,0">06-ZDC-34</a><br><span style="font-size:8pt">123456</span>


Manual link: Javascript

Manual link with Javascript enables custom pop-ups'<a href="javascript:myPopUp(''f?p=&APP_ID.:9:' || :APP_SESSION

|| '::::P9_GRID:' || g.GRID || ''')">' || g.topic || '</a>' “Grievance Regarding<br>(View/Print)"

<a href="javascript:myPopUp('f?p=104:9:11001668615862681378 ::::P9_GRID:5581')">Article 34 Working Hours</a>

At runtime, this becomes:


Use of conditional ||Decode and case enable conditional || with images, textselect

decode(g.status_id, 1, decode(g.date_sub, null, trunc(g.u_action) - trunc(sysdate) || ' ' ||casewhen (g.u_action - sysdate) > 7 then '<img src="#FLOW_IMAGES#greenN.gif">'when (g.u_action - sysdate) > 3 then '<img src="#FLOW_IMAGES#yellowN.gif">'when (g.u_action - sysdate) > 0 then '<img src="#FLOW_IMAGES#redN.gif">'else '<img src="#FLOW_IMAGES#past.gif" border="0">'end,to_char(g.date_sub, 'MM/DD/YY')), 'Closed') "DATE_SUB"from grievance g


SQL generated by PLSQL

SQL Report Region could not enable optional sorting of composite columns

Use of PLSQL-generated SQL enables finer control over the report source query, enhancing performance


Converting a report to PLSQL

declarep_sql varchar2(32767);beginp_sql := q'! select grid from grievance !';return p_sql;end;

Note: 10g quoting syntax


Adding conditionsdeclarep_sql varchar2(32767);beginp_sql := q'! select g.GRID, !';p_sql := p_sql || q'! '<a href="javascript$myPopUp(''f?p=&APP_ID.$9$' || $APP_SESSION || '$$$$P9_GRID$' || g.GRID || ''')">' || g.topic || '</a>' || gr_groupid(g.grid) "Topic“ !';p_sql := p_sql || q'! from GRIEVANCE g, gr_status_lookup p, gr_bu b where g.gr_status = 3 and g.status_id = p.id !';if :P35_FAANUM is not null thenp_sql := p_sql || q'! and lower(g.faanum) like '%' || lower($P35_FAANUM) || '%' !';end if;return replace(p_sql,'$',':');end;


Composite sortingdeclarep_sql varchar2(32767);beginp_sql := q'! select g.GRID, !';p_sql := p_sql || q'! '<a href="javascript$myPopUp(''f?p=&APP_ID.$9$' || $APP_SESSION || '$$$$P9_GRID$' || g.GRID || ''')">' || g.topic || '</a>' || gr_groupid(g.grid) "Topic" !';p_sql := p_sql || q'! from grievance g, gr_status_lookup p, gr_bu b where g.gr_status = 3 and g.status_id = p.id and g.bu_id = b.id (+) !';casewhen :P35_SORT = 1 then p_sql := p_sql || q'! order by trunc(g.reply_by_3), trunc(g.date_sub_3) nulls last !';when :P35_SORT = 2 then p_sql := p_sql || q'! order by trunc(g.date_sub_3), trunc(g.u_action_3) nulls last !';else null;end case;return replace(p_sql,'$',':');end;


CheckboxesPLSQL-generated SQL

Page process


Check-all checkboxFrom Sergio Leunissen’s Blog


Grievance listing


Grievance listing

Filters = where clauses

Order by

Number of rows (item)

Large clickable area

Manual javascript pop-up link || text

Manual page link || text

Check all check box Composit

e report column


Javascript on a Select ListPage Attributes

Page Item


Database-driven Javascript

declarep_java varchar2(4000);cursor c1 is select bu_id, bplate from gr_bu;beginp_java := 'function insertBP(p_region_id) {var p_bu_id = document.getElementById("P8_BU_ID").value;';for a1 in c1 loopp_java := p_java || chr(10) || 'if (p_bu_id == ' || a1.bu_id || ')' || chr(10) || 'document.getElementById("P8_BPLATE").value = "' || a1.bplate || '";';end loop;p_java := p_java || chr(10) || '}';:F168_BPLATE_JAVA := p_java;end;


Javascript resultfunction insertBP(p_region_id) { var p_bu_id = document.getElementById("P8_BU_ID").value;if (p_bu_id == 12)document.getElementById("P8_BPLATE").value = "This grievance is filed pursuant to the Interim agreements and 5 USC 7103 (a) (9). The Agency's actions constitute a violation of the Interim agreements between NATCA and the FAA, 5 USC Chapter 71, and all applicable laws, rules, regulations, and past practice. NOTE: Under protest, and as ordered by FAA management, this grievance is filed in accordance with the Imposed Working Rules (IWR).";if (p_bu_id == 13)document.getElementById("P8_BPLATE").value = "This grievance is filed pursuant to the Interim agreements and 5 USC 7103 (a) (9). "; }


Users upload and download documents associated with each grievance. The process is analogous to a legal case.

Custom tables: file storage


The custom tables are tied to individual grievances by the primary key GRID.

Upload/download tables


Upload process


Upload: File size validation

A validation restricts the size of uploads.


Upload: File name validation

Javascript restricts the length of the file name. ApEx will not accept more than 78 characters.


Download report


Don’t forget! SQL> grant execute on download_my_file to public

Download link


Session state protection

http://www.abc.net/pls/htmldb/f?p=168:34:470931357178041727::NO:::&cs=3A70EA7DD614FA61411D4DCACB75E481C


URL with checksum


Checksums in manual links

'<a href="javascript:myPopUp(''f?p=&APP_ID.:9:' || :APP_SESSION || '::::P9_GRID:' || g.GRID || ''')">' || g.topic || '</a>' "Topic"

'<a href="javascript:myPopUp(''' || htmldb_util.prepare_URL('f?p=&APP_ID.:9:' || :APP_SESSION || '::::P9_GRID:' || g.GRID) || ''')">' || g.topic || '</a>' "Topic"

Original SQL:

With session state protection:


Checksum in PLSQL region


Session state violation

Tampering with values in the URL produces this error message.


Security through branching


Automatic row processing

Automatic row processing includes optimistic locking.

But more advanced apps use manual processing.


Manual row processing

for c1 in (select * from grievance where grid = :P8_GRID) loopcurrent_state := utl_raw.cast_to_raw(dbms_obfuscation_toolkit.md5(input_string => c1.FAANUM||c1.GRIEVANT||c1.REP||c1.TOPIC||c1.ORAL));end loop;if current_state = :P8_CHECKSUM thenupdate grievance set faanum = :P8_FAANUM, rep = :P8_REP, topic = :P8_TOPIC, oral = :P8_ORAL where grid = :P8_GRID;:P8_RETURN_PAGE := 32;end case;else:P8_RETURN_PAGE := 39;end if;

:P8_CHECKSUM is calculated when the page is rendered. If it changes, the update does not execute.


Optimistic locking error

When the checksums do not agree, conditional processing prevents the update and conditional branching takes the user to this page.


Application level items

Page item names are visible in the HTML source

The names of application level items are not, making them more difficult to tamper with


Using application level items

LOGIN PROCESS…casewhen p_sec_lev = 1 then:F134_HEADER := :F134_HEADER || 'FacRep Level';when p_sec_lev = 2 then:F134_HEADER := :F134_HEADER || 'RVP Level';elsenull;end case;


User activity

or

select * from htmldb_activity_log


Integrating apps


Internal message board

Build or borrow a message board application, customize it and integrate it into all of your apps for an internal message board/knowledge base.


Application Express skill set




Thank you!

For more information:Bill [email protected]

Documents

Steal the Show with ApEx