Oracle Tip: The wrap utility and code obfuscation

Oracle provides a second way to ship PL/SQL code, using the "wrap" utility that ships with the database.

Oracle PL/SQL is loaded into the database in one of two ways. The primary way is to apply the PL/SQL code against the database directly in a SQL script from source code. But, if you're shipping the code to an external customer, you run the risk of someone taking your source code, copying it, and modifying it for their own apps. Some customers have been known to modify source code to get around some limitation.

Oracle provides a second way to ship PL/SQL code, using the "wrap" utility that ships with the database. It will "encrypt" the source code into a format that cannot be reverse-engineered or edited. The code is loaded into the database using the "wrapped" keyword:

create or replace package body as wrapped ...

The PL/SQL code will be the same as if you applied the original source code, but the file will be virtually impossible to reverse-engineer. Most of the Oracle supplied packages are wrapped; however, you should be aware of some limitations. The wrapped version of a package body is often as much as three times the size of the source code. The increased size also means that it may take three times as long to install the package body. Even in the best cases, wrapping can work only on package bodies. You cannot wrap the package specifications, a procedure, function, trigger, or object source code.

One alternative to using the "wrap" function is to apply techniques of code obfuscation used for other programming languages. These techniques work by running a parser over the source code that understands the details of the language's syntax and performing some steps that make the code difficult for people to read. Possible obfuscation steps would be to remove all comments (being careful of SQL hints); remove all unnecessary spaces, wrapping in unusual places; and change local variable names to "ugly" replacements, (using names such as "o4y89" instead of "l_ssn"). Some obfuscators would even add extra code after a return, which only makes the compiled version larger.

PL/SQL syntax has interesting potential. While normal identifiers are defined as a letter, followed by letters, numerals, dollar signs, underscores, and the "#" character, you can use any sequence of characters as long as you enclose them in quotes. For example, here's a short PL/SQL that uses a space as a variable name:

    " " integer; — variable name is "a space"
    " " := 2003;

With quotes, you don't need leading or trailing spaces, so the following is identical:

declare" "integer;begin" ":=2003;end;

If you set your NLS_LANG correctly, you can use characters that are unique to a specific character set, such as Unicode, Chinese, or Thai characters. Unfortunately, you cannot modify keywords, and PL/SQL is a wordy language. But you could hide types by using obfuscated names for SUBTYPEs without affecting performance.

TechRepublic's Oracle newsletter covers automating Oracle utilities, generating database alerts, solving directed graph problems, and more. Automatically subscribe today!

Editor's Picks