ApEx:SQL injection

Dont use substitution variables & but bind variables :