About Securing File Uploads

21.2.6 About Securing File Uploads

Learn about developer best practices for securing file uploads.

Oracle APEX enables you to easily build an application that can be used to upload files and to access uploaded files. These files are uploaded into a common file storage table. Although the database view APEX_APPLICATION_FILES shows those files associated with your database account (or workspace), programmatic access to the common file storage table does not always require authentication, enabling other users to see your uploaded files. For this reason, Oracle recommends that developers use the methods described in Understanding BLOB Support in Forms and Reports, with the files being uploaded directly to a table in your workspace schema, or if you need programmatic access, uploaded to APEX_APPLICATION_TEMP_FILES. When you use the built-in methods of file access, the authorization checks on the page also apply to file access. Storing uploaded files in a table in your workspace schema also gives you more control over the underlying database storage. For example, you can use DDL operations, such as TRUNCATE and LOB segment move, to reclaim unused storage.

Note:

The database view APEX_APPLICATION_FILES supports INSERT, UPDATE, and DELETE DML operations. The database view APEX_APPLICATION_TEMP_FILES supports DELETE DML operations. You can perform these operations as part of your application or within the context of your workspace, for example in SQL Commands within SQL Workshop.