PL/SQL Security Cheat Sheet

PL/SQL is a powerful procedural language built on top of Oracle SQL syntax. Extensive library of business-related and data-processing functions it incorporates makes it an attractive environment for building business-critical applications operating fully within the Oracle database. Introduction of PL/SQL Web Toolkit enabled Oracle developers to generate HTML straight from the PL/SQL code and build web applications fully residing from within the Oracle database.

Just as any other web stack, PL/SQL web applications require careful input validation and other standard safeguards to prevent exploitable OWASP Top 10 vulnerabilities. Oracle `htp` (hypertext procedures) and `htf` (hypertext functions) packages contain the primary functions for generating output in PL/SQL web applications as well as output escaping functions. Oracle: The htp and htf Packages

Escaping
Applications running on newer Oracle versions where APEX packages are available should use `apex_escape` for contextual escaping of output data in a manner similar to ESAPI validators. Oracle: apex_escape


 * APEX_ESCAPE.HTML
 * APEX_ESCAPE.HTML_ATTRIBUTE
 * APEX_ESCAPE.HTML_TRUNC
 * APEX_ESCAPE.HTML_WHITELIST
 * APEX_ESCAPE.JS_LITERAL
 * APEX_ESCAPE.LDAP_DN
 * APEX_ESCAPE.LDAP_SEARCH_FILTER
 * APEX_ESCAPE.NOOP

Applications running on older versions of Oracle may use htp.prints to output text blocks rather than htp.print as the former escapes potentially dangerous characters (`<>"'`).

For escaping individual data fields `htf.escape_sc` for output in HTML context should be used. The `utl_url.escape` function is available to escape URL characters (`&"<>%`). URL escaping functionality is also provided by legacy `htf.escape_url` function but it's less robust.

Authors

 * Pawel Krawczyk