Oracle PL/SQL is loaded into the database in
one of two ways. The primary way is to apply the PL/SQL code
against the database directly in a SQL script from source code.
But, if you’re shipping the code to an external customer, you run
the risk of someone taking your source code, copying it, and
modifying it for their own apps. Some customers have
been known to modify source code to get around some limitation.

Oracle provides a second way to ship PL/SQL
code, using the “wrap” utility that ships with the database. It
will “encrypt” the source code into a format that cannot be
reverse-engineered or edited. The code is loaded into the database
using the “wrapped” keyword:

create or replace package body as wrapped …

The PL/SQL code will be the same as if you
applied the original source code, but the file will be virtually
impossible to reverse-engineer. Most of the Oracle supplied
packages are wrapped; however, you should be aware of some
limitations. The wrapped version of a package body is often as much
as three times the size of the source code. The increased size also
means that it may take three times as long to install the package
body. Even in the best cases, wrapping can work only on package
bodies. You cannot wrap the package specifications, a procedure,
function, trigger, or object source code.

One alternative to using the “wrap” function is
to apply techniques of code obfuscation used for other programming
languages. These techniques work by running a parser over the
source code that understands the details of the language’s syntax
and performing some steps that make the code difficult for people
to read. Possible obfuscation steps would be to remove all comments
(being careful of SQL hints); remove all unnecessary spaces,
wrapping in unusual places; and change local variable names to
“ugly” replacements, (using names such as “o4y89” instead of
“l_ssn”). Some obfuscators would even add extra code after a
return, which only makes the compiled version larger.

PL/SQL syntax has interesting potential. While
normal identifiers are defined as a letter, followed by letters,
numerals, dollar signs, underscores, and the “#” character, you can
use any sequence of characters as long as you enclose them in
quotes. For example, here’s a short PL/SQL that uses a space as a
variable name:

Declare
    ” ” integer; — variable name is “a
space”
begin
    ” ” := 2003;
end;
/

With quotes, you don’t need leading or trailing
spaces, so the following is identical:

declare” “integer;begin” “:=2003;end;
/

If you set your NLS_LANG correctly, you can use
characters that are unique to a specific character set, such as
Unicode, Chinese, or Thai characters. Unfortunately, you cannot
modify keywords, and PL/SQL is a wordy language. But you could hide
types by using obfuscated names for SUBTYPEs without affecting
performance.

TechRepublic’s Oracle newsletter covers automating Oracle utilities, generating database alerts, solving directed graph problems, and more. Automatically subscribe today!