PlsqlRequestValidationFunction

Specifies an application-defined PL/SQL function which gives you the opportunity to allow/disallow further processing of the requested procedure.

This is useful in implementing tight security for your PL/SQL application by blocking out package/procedure calls which should not be allowed to execute from this DAD.

The function defined by this parameter must have the following prototype:

boolean function_name ( procedure_name in varchar2 )

Upon invocation, the argument 'procedure_name' will contain the name of the procedure that the request is trying to execute.

For example, if all the PL/SQL application procedures callable from a browser are inside the package "mypkg", then a simple implementation of this function can be as follows:


function holy_validation ( procedure_name in varchar2 ) return boolean is
begin
if
  lower( procedure_name ) like lower( 'myschema.mypkg%' )
then
  return ( true );
end if;
return ( false );
end holy_validation_check;

Syntax:
PlsqlRequestValidationFunction [string]
Default:
[none]
Example:
PlsqlRequestValidationFunction schema.package.holy_validation

Tips for PlsqlRequestValidationFunction

By default, mod_plsql already disallows direct URL access to certain schemas/packages. For more information about this, please refer to the mod_plsql configuration parameter PlsqlExclusionList

It is highly recommended that you provide an implementation for this function such that it only allows requests that belong to your application, and are callable from a browser

Since this function will be called for every request, be sure to make this function as performant as possible.

Suggested recommendations are:

  • Name your PL/SQL packages in a fashion such that the implementation of this function can be similar to the example mentioned above
  • If your implementation performs a table lookup to determine what packages/procedures should be allowed, performance can be improved if you pin the cursor in the shared pool