Skip to content

G-7510: Always prefix Oracle supplied packages with owner schema name.

Major

Security

Reason

The signature of Oracle supplied packages is well known and therefore it is quite easy to provide packages with the same name as those from Oracle doing something completely different without you noticing it.

Example (bad)

1
2
3
4
5
6
declare
   co_hello_world constant string(30 char) := 'Hello World';
begin
   dbms_output.put_line(co_hello_world);
end;
/

Example (good)

1
2
3
4
5
6
declare
   co_hello_world constant string(30 char) := 'Hello World';
begin
   sys.dbms_output.put_line(co_hello_world);
end;
/