This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
PL/SQL Security Cheat Sheet
PL/SQL is a powerful procedural language built on top of Oracle SQL syntax. Extensive library of business-related and data-processing functions it incorporates makes it an attractive environment for building business-critical applications operating fully within the Oracle database. Introduction of PL/SQL Web Toolkit enabled Oracle developers to generate HTML straight from the PL/SQL code and build web applications fully residing from within the Oracle database.
Just as any other web stack, PL/SQL web applications require careful input validation and other standard safeguards to prevent exploitable OWASP Top 10 vulnerabilities. Oracle `htp` (hypertext procedures) and `htf` (hypertext functions) packages contain the primary functions for generating output in PL/SQL web applications as well as output escaping functions. Oracle: The htp and htf Packages
Escaping
Applications running on newer Oracle versions where APEX packages are available should use `apex_escape` for contextual escaping of output data in a manner similar to ESAPI validators. Oracle: apex_escape
- APEX_ESCAPE.HTML
- APEX_ESCAPE.HTML_ATTRIBUTE
- APEX_ESCAPE.HTML_TRUNC
- APEX_ESCAPE.HTML_WHITELIST
- APEX_ESCAPE.JS_LITERAL
- APEX_ESCAPE.LDAP_DN
- APEX_ESCAPE.LDAP_SEARCH_FILTER
- APEX_ESCAPE.NOOP
Applications running on older versions of Oracle may use htp.prints to output text blocks rather than htp.print as the former escapes potentially dangerous characters (`<>"'`).
For escaping individual data fields `htf.escape_sc` for output in HTML context should be used. The `utl_url.escape` function is available to escape URL characters (`&"<>%`). URL escaping functionality is also provided by legacy `htf.escape_url` function but it's less robust.
Authors
- Pawel Krawczyk