Skip to main content

Oracle APEX has built-in security that is incredible at preventing different unauthorized manipulation attacks. The benefits far outweigh the drawbacks, but there are some circumstances where it is necessary to show and edit a value for users, but not allow them to edit the field. This is a stumbling block for developers because it is easy to get a session state violation error. For this blog, I will be addressing that use case and one of the options available.

 

Install the Sample Application Productivity App and go to Page 6

  • Add a QUANTITY page item
    • Number field
    • Source
      • Type:  Null
      • Used:  Always, replacing any existing value in session
  • Add a TOTAL_PRICE page item
    • Number field
    • Source
      • Type:  Null
      • Used:  Always, replacing any existing value in session
  • Add a Dynamic Action on the QUANTITY page item
    • On change
      • Set value
        • PL/SQL Expression – :P6_LIST_PRICE * :P6_QUANTITY
        • Items to Submit – P6_LIST_PRICE,P6_QUANTITY
        • Affected Elements – Item(s) P6_TOTAL_PRICE

Go to Page 3 and select the Bag from the Products Interactive Report

  • Enter 4 into the QUANTITY field and press the Tab key
  • Click the Apply Changes button

 

 

Failure

So, what happened? When a page item is read-only, any change in value to that page item is assumed to be an unauthorized manipulation. This will occur even if you have session state protection set to unrestricted for the item.

One way to get the system to accept the (Set Value) Dynamic Action is to change the item type of TOTAL_PRICE to hidden. Remember to change the Value Protected setting to off.

 

 

Solution

The hidden item method works, but it does not help if you want to display the value to users and have it saved without violating session state protection. We can do this by adding a few more steps.

  • Keep the TOTAL_PRICE item set to hidden and not value protected.
  • Go back into page designer for Page 6 and duplicate the TOTAL_PRICE item
  • Call this second item DISPLAY_TOTAL_PRICE
  • Change the item type to Display Only and set Send on Page Submit to off

 

 

  • Go to the (Set Value) Dynamic Action on the QUANTITY page item
  • Edit the Affected Elements section under Item(s) to P6_TOTAL_PRICE,P6_DISPLAY_TOTAL_PRICE
  • Run the form once more and SUCCESS!

 

 

How Would this Work with a Real Database?

I am well aware that as a general rule, you wouldn’t store a calculated field like TOTAL_PRICE.  With that said, the longer you stay in the industry, the more your odds will increase at seeing all sorts of things that shouldn’t be happening.

The much more likely real-life scenario will entail a use case with some similar elements to the example provided.  No matter the circumstance, the tips and nuances in this blog will help you troubleshoot page item manipulation without violating session state.

 

Learn More

References

 

Disclaimer:
We do not take responsibility for any unintended or unwanted consequences in your instance of Oracle, Oracle APEX, or related products as a result of reading our blogs or following our guides. Though the information is fully tested and generally safe to use, our lawyers really have a thing against admitting potential wrongdoing. If it makes you feel any better, one time they gave me cash to pay for the postage of 500 letters to be mailed to clients. Instead of buying the postage, I kept it and hand-delivered the mail. If this sounds familiar, it is because I got the idea from Frank McCourt; GENIUS!!!