Let's check out some of the most valid criticisms in the following sections.
As discussed in the Decoding the APEX page submissions section previously, only 200 page items are possible on an APEX page.
This works like a charm. The only problem is that the charm does not work in your favor.
SQL Injection is PL/SQL hacking and can be stopped to a large extent if proper coding practices are followed. The attack is easy if your PL/SQL code contains dynamic SQL, and the code is generated by concatenating variables to the dynamic SQL string. Again, if your code assumes some implicit conversions and formats, then an experienced hacker can change those assumed formats and demolish your security like it was a deck of cards.
SQL Injection is of two types. Refer to SQL Injection section of the Appendix to see a discussion about both of these types with a working example of one of the types of SQL Injection and various ways to combat SQL Injection.
Cross-site scripting is an attack by which hackers can bypass access controls such as same origin policy of the target server, and hence access sensitive data using client-side scripting such as JavaScript. Check out the Cross Site Scripting section of the Appendix to see the same origin policy in action. You will find a piece of code to use client-side scripting to access vital web resources of the same domain. Cross-site scripting also uses similar code but the attack is from a different domain.