APEX

Hi,

I have an app that I would like to use for company internal use, (behind a firewall). It uses apex.mail to send emails over the Internet. I think it is OK to release, but before I go live, I want to ask if you have any recommendations to make sure someone who gets access to the users PC can't send spam.

The user needs a password to begin using the app (LDAP authentication). It doesn't use Session State Protection or anything like that. The app shows a report of examiners who should've returned work they have been given to mark. The user selects a check box beside the examiners to be sent a reminder, and clicks a button to send. The page process loops though the list of examiners selected, and it uses the examiner_id to select the 'to' address and the email body from a table, which it passes to apex_mail.send.

The 'to' address and the email body are SQL variables in the page process, not page items. On a different page, the user has the ability to edit an examiner's details including email address, and the examiner's id is passed in the address line to this page. An update statement would be required to alter the email body though.

Can this be abused easily? What can I do to improve security?

Thanks in advance for any suggestions,

MS