🔐 Locking Down Public Pages - Stop URL Tampering with a Custom Checksum Using DBMS_CRYPTO in Oracle APEX
🚩Introduction
In many Oracle APEX applications, public pages are accessed using links generated outside of APEX, such as from emails, external systems, or third-party portals. These URLs often carry parameters like an ID or reference number to show specific data.
Normally, APEX protects these URLs using a built-in checksum. But when the URL is generated outside of APEX, then the APEX rejects the request as a checksum mismatch. To solve this, we can build our own custom checksum logic using the DBMS_CRYPTO package, so the link stays secure even when it's created from outside the application.
📑 Why This Approach Is Needed
In Oracle APEX applications, public pages are open to anyone with the link, which means the URL parameters can be easily changed by a user. If there is no validation, someone could simply edit the ID in the URL and view data that doesn't belong to them.
Building a custom checksum becomes important when:
- The URL is generated outside of APEX, so the default session checksum cannot be used
Sensitive data is shown on a public page without requiring login
Parameters in the URL need to be protected from manual tampering
A secret key based validation is needed to confirm the link is genuine
Applications need a way to reject the page request if the values don't match
This approach helps to keep public pages secure and prevents unauthorized access through URL tampering, and gives the developers full control over how the link is validated in Oracle APEX.
👉 Use Case: Preventing URL Tampering on Public Pages Using DBMS_CRYPTO
Step 1:
Step 2:
Step 3:
Step 4:
Step 4:
--- Function to Generate the Hash Value using DBMS_CRYPTO Package -----
CREATE OR REPLACE FUNCTION GET_SIGNATURE_F(v_param VARCHAR2) RETURN VARCHAR2 IS
v_secret_key VARCHAR2(100) := '#PUBL1C$P@GE!'; -- you can replace any value
BEGIN
RETURN lower(rawtohex(dbms_crypto.hash(
utl_i18n.string_to_raw(v_param || ':' || v_secret_key, 'AL32UTF8'),
dbms_crypto.hash_sh256
)
)
);
END; --- Procedure to Generate the Page Link and sent via the Email -----
CREATE OR REPLACE PROCEDURE SEND_PAGE_LINK_PROC (
v_emp_id NUMBER
) IS
v_url VARCHAR2(4000);
BEGIN ---Replace the APP ID,PAGE ID and Page items in the below link
v_url := 'https://oracleapex.com/ords/f?p=43271:26:0::NO::P26_USER_ID,P26_SIGNATURE:'
|| v_emp_id
|| ','
|| GET_SIGNATURE_F(v_emp_id); --to generate the Hash Value
APEX_MAIL.SEND(
p_to => 'xyz@gmail.com',
p_from => 'abc@gmail.com', -- Replace with your Email ID's
p_subj => 'Page Access Link',
p_body_html => '<a href="' || v_url || '">Click here to open the page</a>'
);
APEX_MAIL.PUSH_QUEUE;
END SEND_PAGE_LINK_PROC;
Step 5:
--- To Validate the Hash Value ----
IF :P26_SIGNATURE != GET_SIGNATURE(:P26_USER_ID) THEN
raise_application_error(-20001, 'Invalid Access');
END IF;
Step 6:
Step 7:







Comments
Post a Comment