Hi everyone,
I'm working with Oracle APEX 20.1 and facing a security issue related to conditionally read-only items and Dynamic Actions (DAs).
I have an item P2473_SH_GH on a modal page. This item is set to read-only based on a condition. When it renders as read-only, it appears like this:
<div class="t-Form-itemWrapper">
<input type="hidden" name="P2473_SH_GH" id="P2473_SH_GH" value="109980110">
<input type="hidden" data-for="P2473_SH_GH" value="lmuC1CAxUtqOSvQE84MwwLDO71A">
<span id="P2473_SH_GH_DISPLAY" class="display_only apex-item-display-only">109980110</span>
</div>
I also have a button on this page that triggers a Dynamic Action to execute some PL/SQL code, where I pass the value of P2473_SH_GH to update a column in a custom table.
⚠️ The Problem:
Since the item is conditionally read-only, I cannot set its Session State Protection (Security → Session State Protection) to "May not be set from browser", otherwise it would block legitimate use cases when the item is editable.
This creates a vulnerability: when the item is in read-only mode, a malicious user can use browser dev tools to modify its hidden value, and the DA will use the forged value without any validation.
If I use Submit Page, APEX automatically validates the checksum and blocks the tampered value — which is great.
But with Dynamic Actions, no such validation is done.
❓ My Question:
Is there a built-in APEX function (e.g., in the apex_util or apex_plugin_util packages) that I can use in my PL/SQL DA to validate the checksum of the item, just like the standard page submit does?
Again, I prefer not to implement custom logic — I want to rely on APEX’s native item protection mechanisms, if possible.
Any suggestions on how to securely validate the item in a DA scenario would be very helpful.
Thanks in advance!