ApEx:SQL injection

Don't use substitution variables & but bind variables :