Skip Headers
Oracle® Database 2 Day + Application Express Developer's Guide
Release 2.2

Part Number B28839-01
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
View PDF

9 How to Upload and Download Files in an Application

Oracle Application Express applications may include the ability to upload and download files stored in the database. This tutorial illustrates how to create a form and report with links for file upload and download, how to create and populate a table to store additional attributes about the documents, and finally how to create the mechanism to download the document in your custom table.

This section contains the following topics:

Creating an Application

First, create a new application using the Create Application Wizard with the assumption you will include an upload form on page 2.

To create an application using the Create Application Wizard:

  1. On the Workspace home page, click the Application Builder icon.

    The Application Builder home page appears.

  2. Click Create.

  3. Select Create Application and then click Next.

  4. Specify the page name.

    1. For Name, enter Download App.

    2. Accept the remaining defaults and click Next.

  5. Add a blank page:

    1. Under Select Page Type, select Blank and then click Add Page as shown in Figure 9-1.

      The new page appears in the Create Application list at the top of the page.

    2. Click Next.

  6. For Tabs, accept the default, One Level of Tabs, and then click Next.

  7. For Copy Shared Components from Another Application, accept the default, No, and click Next.

  8. For Attributes, accept the defaults for Authentication Scheme, Language, and User Language Preference Derived From and click Next.

  9. For User Interface, select Theme 2 and then click Next.

  10. Review your selections and click Create.

    The Application home page appears.

Creating an Upload Form

Once you create an application, the next step is to create a form to upload documents. In the following exercise you create a form in an HTML region that contains a file upload item and a button. The button submits the page and returns the user to the same page.

Topics in this section include:

Create an HTML Region

First, you need to create a container to hold the form. In Application Builder, this container is called a region.

To create an HTML region:

  1. Click the Page 1 icon.

    The Page Definition appears.

  2. Under Regions, click the Create icon as shown in Figure 9-2.

  3. For Region, select HTML and then click Next.

  4. For Display Attributes:

    1. In Title, enter Submit File.

    2. Accept the remaining defaults and click Next.

  5. Accept the remaining defaults and click Create Region.

    The Page Definition appears.

Create an Upload Item

Next, you need to create a text field or item. In Application Builder, an item is part of an HTML form. An item can be a text field, text area, password, select list, check box, and so on.

To create a file upload item:

  1. Under Items on the Page Definition for page 1, click the Create icon.

  2. For Item Type, select File Browse and then click Next.

  3. For Display Position and Name:

    1. For Item Name, enter P1_FILE_NAME.

    2. For Sequence, accept the default.

    3. For Region, select Submit File.

    4. Click Next.

  4. Accept the remaining defaults and click Next.

  5. Click Create Item.

    The Page Definition appears.

Create a Button

Next, you need to create a button to submit the file.

To create a button:

  1. Under Buttons, click the Create icon.

  2. For Button Region, select Submit File (1) 1 and then click Next.

  3. For Button Position, select Create a button in a region position and then click Next.

  4. On Button Attributes:

    1. For Button Name, enter Submit.

    2. Accept the remaining defaults.

    3. Click Next.

  5. For Button Template, accept the default and click Next.

  6. For Display Properties, accept the defaults and click Next.

  7. For Branching:

    1. In Branch to Page, select Page 1.

    2. Click Create Button.

  8. Run the page by clicking the Run Page icon as shown in Figure 9-3.

  9. When prompted for a user name and password, enter your workspace credentials and click Login.

When you run the page, it should look similar to Figure 9-4.

Figure 9-4 Submit File Form

Description of Figure 9-4 follows
Description of "Figure 9-4 Submit File Form"

Creating a Report with Download Links

Once you create the form to upload documents, the next step is to create a report on the document table that contains links to download documents. When you use the file upload item type, the files you upload are stored in a table called wwv_flow_file_objects$. Every workspace has access to this table through a view called APEX_APPLICATION_FILES.

Topics in this section include:

Create a Report on APEX_APPLICATION_FILES

To create a report on APEX_APPLICATION_FILES:

  1. Click Edit Page 1 on the Developer toolbar.

  2. Under Regions, click the Create icon.

  3. For Region, select Report and then click Next.

  4. For Report Implementation, select SQL Report and then click Next.

  5. For Display Attributes:

    1. In Title, enter Uploaded Files.

    2. Accept the remaining defaults and click Next.

  6. For Source, enter the following SQL query:

    SELECT id,name FROM APEX_APPLICATION_FILES
    
    
  7. Click Create Region.

  8. Run the page.

As shown in Figure 9-5, the report you just created shows all documents that have been uploaded.

Figure 9-5 Uploaded Files Report

Description of Figure 9-5 follows
Description of "Figure 9-5 Uploaded Files Report"

Add Link to Download Documents

Next, you need to provide a link to download each document.

To provide a link to download the documents in the report:

  1. Click Edit Page 1 on the Developer toolbar.

  2. Under Regions, click Report next to Uploaded Files as shown in Figure 9-6.

    The Report Attributes page appears. You can add a link to the ID column by editing Column Attributes.

  3. Under Column Attributes, click the Edit icon in the ID row.

  4. Scroll down to Column Link.

  5. Under Column Link:

    1. In the Link Text field, enter:

      download
      
      
    2. From Target, select URL.

    3. In the URL field, enter the following:

      p?n=#ID#
      
      

      #ID# parses the value contained in the column where ID is the column alias.

  6. At the top of the page, click Apply Changes.

    The Page Definition appears.

  7. Run the page.

    When you run the page, it should look similar to Figure 9-7.

    Figure 9-7 Uploaded Files Report with Download Links

    Description of Figure 9-7 follows
    Description of "Figure 9-7 Uploaded Files Report with Download Links"

  8. Click Edit Page 1 on the Developer toolbar to return to the Page Definition.

  9. Click the Home breadcrumb link at the top of the page as shown in Figure 9-8.

    Figure 9-8 Breadcrumb Menu

    Description of Figure 9-8 follows
    Description of "Figure 9-8 Breadcrumb Menu"

    The Workspace home page appears.

Storing Additional Attributes About the Document

Next, you create another table to store additional information about the documents that are uploaded. In this exercise, you:

Topics in this section include:

Create a Table to Store Document Attributes

First, you create a table in SQL Commands.

See Also:

"Using SQL Commands" in Oracle Database Application Express User's Guide

To create the table to store additional information about uploaded files:

  1. On the Workspace home page, click SQL Workshop and then SQL Commands.

    The SQL Commands page appears.

  2. In the top section, enter:

    CREATE TABLE file_subjects(name  VARCHAR2(4000), subject VARCHAR2(4000) );
    
    
  3. Click Run.

    The message Table created appears.

  4. Click the Home breadcrumb link.

    The Workspace home page appears.

Create an Item to Capture the Document Subject

To create an item to capture the subject of the document:

  1. Navigate to the Page Definition for page 1:

    1. On the Workspace home page, click the Application Builder icon.

    2. On the Application Builder home page, click Download App.

    3. On the Application home page, click the Page 1 icon.

    The Page Definition for Page 1 appears.

  2. Under Items, click the Create icon.

  3. For Item Type, select Text and then click Next.

  4. For Text Control Display Type, select Text Field and then click Next.

  5. For Display Position and Name:

    1. For Item Name, enter P1_SUBJECT.

    2. For Sequence, accept the default.

    3. From Region, select Uploaded Files.

    4. Click Next.

  6. For Item Attributes:

    1. In the Label field, enter Subject.

    2. Accept the remaining defaults.

    3. Click Next.

  7. Click Create Item.

Create a Process to Insert Information

Next, you need to create a process to insert the subject information into the new table.

To create a process:

  1. Under Page Processing, Processes, click the Create icon.

  2. For Process Type, select PL/SQL and then click Next.

  3. For Process Attributes:

    1. For Name, enter Insert.

    2. For Sequence, accept the default.

    3. From Point, select On Submit - After Computations and Validations.

    4. Click Next.

  4. In Enter PL/SQL Page Process, enter the following:

    INSERT INTO file_subjects(name, subject) VALUES(:P1_FILE_NAME,:P1_SUBJECT);
    
    
  5. Click Next.

  6. For Messages:

    1. In Success Message, enter:

      Subject inserted
      
      
    2. In Failure Message enter:

      Error inserting subject
      
      
    3. Click Next.

  7. For Process Conditions:

    1. From When Button Pressed, select SUBMIT.

    2. Accept the remaining defaults and click Create Process.

Show Additional Attributes in the Report Region

Finally, you need to alter the SQL Report region to join it to the additional attributes table. To accomplish this, you edit the Region Source attribute on the Region Definition page.

To edit the Region Source:

  1. Under Regions, click Uploaded Files.

    The Region Definition appears.

  2. Scroll down to Source.

  3. Replace the Region Source with the following:

    SELECT w.id,w.name,s.subject  
    FROM APEX_APPLICATION_FILES w,file_subjects s
    WHERE w.name = s.name
    
    
  4. Click Apply Changes.

  5. Run the page.

    As shown in Figure 9-9, the Uploaded Files report now contains a Subject column.

    Figure 9-9 Uploaded Files Report with Subject Column

    Description of Figure 9-9 follows
    Description of "Figure 9-9 Uploaded Files Report with Subject Column"

    If your Uploaded Files report does not initially contain all three columns, try uploading a file and clicking the Submit button.

  6. Click Edit Page 1 on the Developer toolbar.

  7. Click the Home breadcrumb link at the top of the page to return to the Workspace home page.

Storing the Document in a Custom Table

In certain cases, you may want to store uploaded documents in a table owned by your schema. For example, if you want to create an Oracle Text index on uploaded documents, you need to store the documents in a custom table.

To store documents in your custom table:

To add a BLOB column to the file_subjects table:

  1. On the Workspace home page, click SQL Workshop and then SQL Commands.

    The SQL Commands page appears.

  2. In the top section, enter the following SQL statement:

    ALTER TABLE file_subjects ADD(id number,blob_content BLOB,mime_type varchar2(4000) );
    
    
  3. Click Run.

    The message Table Altered appears.

  4. Click the Home breadcrumb link at the top of the page.

To alter the process to insert documents into the file_subjects table:

  1. On the Workspace home page, click Application Builder.

  2. Click Download App.

  3. Click Page 1.

  4. Under Processes, click the Insert link.

  5. Scroll down to Source.

  6. Under Source, replace the process with the following:

    IF ( :P1_FILE_NAME is not null ) THEN 
         INSERT INTO file_subjects(id,NAME, SUBJECT, BLOB_CONTENT, MIME_TYPE) 
          SELECT ID,:P1_FILE_NAME,:P1_SUBJECT,blob_content,mime_type
                FROM APEX_APPLICATION_FILES
                WHERE name = :P1_FILE_NAME;
       DELETE from APEX_APPLICATION_FILES WHERE name = :P1_FILE_NAME;
      END IF;
    
    
  7. Click Apply Changes.

  8. Click the Home breadcrumb link at the top of the page to return to the Workspace home page.

Downloading Documents from the Custom Table

Now that documents are being stored in a custom table, you need to provide a way to download them. You do this by creating a procedure and granting execute on that procedure to the pseudo user APEX_PUBLIC_USER.

To accomplish this you need to change:

To create a procedure to download documents from the file_subjects table and grant execute to public:

  1. On the Workspace home page, click SQL Workshop and then SQL Commands.

  2. Enter the following SQL statement:

    CREATE OR REPLACE PROCEDURE download_my_file(p_file in number) AS
            v_mime  VARCHAR2(48);
            v_length  NUMBER;
            v_file_name VARCHAR2(2000);
            Lob_loc  BLOB;
    BEGIN
            SELECT MIME_TYPE, BLOB_CONTENT, name,DBMS_LOB.GETLENGTH(blob_content)
                    INTO v_mime,lob_loc,v_file_name,v_length
                    FROM file_subjects
                    WHERE id = p_file;
                  --
                  -- set up HTTP header
                  --
                        -- use an NVL around the mime type and 
                        -- if it is a null set it to application/octect
                        -- application/octect may launch a download window from windows
                        owa_util.mime_header( nvl(v_mime,'application/octet'), FALSE );
     
                    -- set the size so the browser knows how much to download
                    htp.p('Content-length: ' || v_length);
                    -- the filename will be used by the browser if the users does a save as
                    htp.p('Content-Disposition:  attachment; filename="'||replace(replace(substr(v_file_name,instr(v_file_name,'/')+1),chr(10),null),chr(13),null)|| '"');
                    -- close the headers            
                    owa_util.http_header_close;
                    -- download the BLOB
                    wpg_docload.download_file( Lob_loc );
    end download_my_file;
    /
    
    
  3. Click Run.

    The message Procedure Created appears. Run another SQL statement.

  4. Click the SQL Workshop breadcrumb link and then click SQL Commands.

    The SQL Commands page appears.

  5. In the top section, enter the following SQL statement:

    GRANT EXECUTE ON download_my_file TO PUBLIC/
    
    
  6. Click Run.

    The message Statement processed appears.

  7. Click the Home breadcrumb link at the top of the page to return to the Workspace home page.

To change the SQL report region to no longer join with the APEX_APPLICATION_FILES view:

  1. Navigate to the Page Definition of page 1:

    1. On the Workspace home page, click Application Builder.

    2. On the Application Builder home page, click Download App.

    3. On the Application home page, click Page 1.

  2. Under Regions, click Uploaded Files.

  3. Scroll down to Source.

  4. Replace the Region Source with the following:

    SELECT s.id,s.name,s.subject FROM file_subjects s
    
    
  5. Click Apply Changes.

    The Page Definition appears.

To change the download link to use the new download procedure:

  1. Under Regions, click Report next to Uploaded Files.

  2. In the ID row, click the Edit icon.

  3. Scroll down to the Column Link section.

  4. Replace the existing URL with the following:

    #OWNER#.download_my_file?p_file=#ID#
    
    

    In this URL:

    • #OWNER# is the parsing schema of the current application.

    • download_my_file is the new procedure you just created.

    • You are passing in the value of the column ID to the parameter p_file.

  5. Click Apply Changes.

    The Page Definition appears.

Security Issues to Consider

The application you built in this tutorial provides download links that invoke the procedure download_my_file. Note that this approach has security implications that you need to be aware of.

To invoke your procedure, a user can click the links you provide, or a user can enter similar URLs in the Web browser's Address (or Location) field. Be aware that a curious or malicious user could experiment with your download_my_file procedure, passing in any file ID as the p_file argument. A hacker could determine what file IDs exist in your table by legitimate or illicit means. Worse yet, in a mechanized attack, a hacker could submit successive IDs until an ID matches a file in your table at which time your procedure would download the file to the hacker.

The measures you take to protect your data from unauthorized access depend upon:

One technique you can use to protect an application is to call one of the Oracle Application Express security APIs from within the procedure in order to ensure that the user has already been authenticated. For example, you could include a block of code into the procedure so that it runs first. Consider the following example:

-- Assuming your application's numeric ID is 100, set g_flow_id to
--     that value, otherwise change the value as required. 
--
APEX_APPLICATION.G_FLOW_ID := 100;

IF NOT wwv_flow_custom_auth_std.is_session_valid then
    -- 
    -- 
    -- display this message or a custom message. 
    -- 
htp.p('Unauthorized access - file will not be retrieved.'); 
    -- 
    -- You can do whatever else you need to here to log the
    --     unauthorized access attempt, get the requestor's
    --     IP address, send email, etc. 
    -- 
    RETURN;
END IF;