Code Review Checklist

Checklist Item	Description
Bind Arguments	Check the use of bind arguments. Ensure that DBMS_ASSERT is only used where bind arguments are impractical.
Error Reporting	Check that use of DBMS_ASSERT preserves existing error reporting granularity. Check that exceptions raised by DBMS_ASSERT are properly handled within the routine or the call stack.
Case Sensitivity	Ensure that case-sensitivity is not affected by use of DBMS_ASSERT.
Check Coverage	Ensure that all injectable parameters and code paths are protected by DBMS_ASSERT.
Check Scope	Check that the scope of calls to DBMS_ASSERT routines ensures that the protection is effective. Calls to DBMS_ASSERT should be at the point the injectable variable is used and not within generated code blocks.
Second Order Attacks	Ensure that no second order or quoted vulnerabilities remain. Typically, this may be caused if the routine uses string concatenation with embedded single quotation marks, for example, 'string'''\|\|dbms_assert.routine()\|\|''''; or similar constructions. Make sure that user input such as "sql’injection" does not lead to an injection. What happens if an attacker creates valid database objects with embedded quotes? For example: "Table'Name" Identify sources of “trusted” information and ensure that if the source is taken on trust, all the routines that are able to write to it uphold that trust.
Embedded Double Quotes	Check that valid but no longer supported syntax "str""ing" does not lead to vulnerabilities.
ENQUOTE_* Routines	In general, question the uses of DBMS_ASSERT, where one of the ENQUOTE_* routines is not being used.
Race Conditions	Use of SCHEMA_NAME and SQL_OBJECT_NAME without also using one of the ENQUOTE_* routines can lead to race condition attacks, and possible second-order injection attacks.
Cross Site Scripting	If using DBMS_ASSERT within a routine exposed via mod_plsql, ensure that all user-supplied data is passed through a suitable filtering routine. Do not rely on DBMS_ASSERT to filter the data from XSS vulnerabilities.
Buffer Overflows	Ensure that any library routines have no underlying buffer overflow vulnerabilities. Do not rely on DBMS_ASSERT for protection from buffer overflows.
Invoker's / Definer's Rights	Ensure that SQL statements are executed with the rights of the calling user except when it is strictly necessary to perform actions as the schema owner. In general, check that routines execute with invoker's rights. Where definer's rights routines and packages must be used, ensure that it is not possible to acquire additional privileges through user-defined tables, triggers, procedures, functions, and so on.