5.5 DBMS_ASSERT Limitations
DBMS_ASSERT is not a panacea against all sorts of PL/SQL evils. It is essentially a collection of pattern matching routines that confirm whether the supplied string matches expected patterns. It can be used to protect against certain kinds of malicious input but cannot comprehensively defend against all such inputs.
Here are some instances where DBMS_ASSERT may not help:
- It contains no routines to validate TNS connect strings, for example “((description =...”.
- It is neither designed nor is it intended to be a defense against cross-site scripting attacks.
- It does not check for input string lengths, and therefore, cannot be used as any kind of defense against a buffer overflow attack.
- It does not guarantee that a SQL name is in fact a parseable SQL name.
- It does not protect against parsing as the wrong user or other security risks due to inappropriate privilege management.