I have a public website made using Apex 21.1.3

When a user shares a page of my website, let's say on facebook, Facebook adds "?fbclickId=something" to the URL.

My app then crashes saying : Unable to find item ID for item fbclickId in application.

Apex thinks the user is trying to set an element that does not exist on the application.

I have url processing layer using htaccess that formats the urls before sending them to Apex in a reverse proxy. I could say let's ignore all what comes after a question mark "?" but in this case I wont be able to set any application item value neither. So that's not possible.

Does anyone have an idea how to make Apex ignore setting a parameter if it doesn't exist ?

Using google for example :

This URL https://www.google.com/?anyparameter=anyvalue will always resolve to https://www.google.com

Thanks

Cheers

CodePudding user response：

Here is the solution I came up with.

I couldn't find any way to ignore unavailable fields but found a trick to avoid sending them to Apex, hence escaping the error.

In the middle tier (nginx, apache, IIS) add the following logic :

• Whenever there are two question marks, ignore the second one part:

   For example   : someApexAppUrl?Parameter=value?fbclickid=something
   Should become : someApexAppUrl?Parameter=value
  

• Whenever there is a parameter added to the url for example

   someApexAppUrl?Parameter=value
  

Check the parameter name against

• Application Items with a protection level of Unrestricted, Checksum Required - Application Level, Checksum Required - User Level, Checksum Required - Session Level

• The hard coded list of the default Apex urls parameters which are : session, request, clear, debug, printerFriendly, trace, timezone, lang, territory, cs, dialogCs, x01 according to this article

• Application page items with a name pattern P99_Someting

Whenever a parameter is not among these three categories, ignore it and don't send it to Apex. This way even if facebook adds something like ?fbclickid=xxx the Apex App will still work nicely.

CodePudding user response：

You may consider using Session State Protection and/or friendly URLs. (https://docs.oracle.com/en/database/oracle/application-express/21.2/htmdb/preventing-url-tampering.html#GUID-C47B5B4C-FA49-47C7-BAAE-6D5A06DE029C)

(https://docs.oracle.com/en/database/oracle/application-express/21.1/htmdb/understanding-friendly-url-syntax.html)

CodePudding user response：

I'm not aware of any way to ignore invalid parameters, but you can make the error a bit nicer for the end user.

1. Create a custom apex error handling function. The only difference with standard error handling is that the error with code WWV_FLOW.FIND_ITEM_ID_ERR has a custom message and no additional info. Change the string "Invalid url arguments" to something more relevant for your business case.

create or replace function apex_error_custom
    (
      p_error IN apex_error.t_error 
    )
    RETURN apex_error.t_error_result
IS
    l_result          apex_error.t_error_result := apex_error.t_error_result();
BEGIN 
     
    l_result := apex_error.init_error_result ( p_error => APEX_ERROR_CUSTOM.p_error );

    IF p_error.apex_error_code = 'WWV_FLOW.FIND_ITEM_ID_ERR' THEN
      l_result.message := 'Invalid url arguments';
      l_result.additional_info := NULL;
    END IF;

    RETURN l_result;
END apex_error_custom;

2. Change the application definition to use the new error function: Application Definitions > Error Handling > Custom Error Function. Note this affects all errors in the application.
3. An additional way to make the error nicer is to change the default error page to use a defined template (Shared Components > Themes > your theme > Component Defaults > Error page). Note this affects all errors in the application.