Skip to Main Content

Breadcrumb

Question and Answer

Chris Saxon

Thanks for the question, Mohammed Imran.

Asked: February 24, 2017 - 10:27 am UTC

Last updated: February 27, 2017 - 3:45 pm UTC

Version: 11.2.0.3.0

Viewed 1000+ times

You Asked

Hello,

We have requirement to release our product at customer location(usually we just deliver processed data to the customer) and allow them to use it for sometime before they are satisfied, hence to secure code/algorithm we need to wrap the code.

For demo purpose I have created a small procedure and wrapped it using DBMS_DDL.CREATE_WRAPPED procedure but unfortunately the wrapped code was very easily unwrapped at url ( http://www.codecrete.net/UnwrapIt/ ) :(

Could you suggest what should we do to secure the code?
Thanks,
Imran

and Chris said...

PL/SQL wrapping is obfuscation, not encryption. If you're deploying the code in a database the customer has access to, then they'll be able to find ways to reverse engineer the source if they want to:

https://asktom.oracle.com/pls/apex/f?p=100:11:0::::P11_QUESTION_ID:9527638000346270304

Rating

  (2 ratings)

Is this answer out of date? If it is, please let us know via a Comment

Comments

Alternates to consider

Raj Jamadagni, February 24, 2017 - 1:57 pm UTC

You may want to check http://www.petefinnigan.com/products/pfclobfuscate.htm he proposes as a secured alternative. I have no experience with that tool, but you can take a look.

Alternatively you can do what Oracle seems to be doing lately, write your code in pro*C, expose as libraries and call those procedures using pl/sql packages. Similar approach may exist for java as well.

You just need to evaluate what is feasible for you.

Connor McDonald
February 25, 2017 - 1:10 am UTC

nice input.

So is there no way to secure code

Mohammed Imran Pasha, February 27, 2017 - 6:42 am UTC

Hi ,

It seems like there is no solution or utility provided by oracle to secure code.

Oracle is such widely used DB then is it so difficult to wrap or secure code?

My team is in discussions to take services of 3rd party which will provide their utilities to secure code but this service will cost us some $$$, My question again is why cannot oracle provide us with such flexibility?

Thanks,
Imran.
Chris Saxon
February 27, 2017 - 3:45 pm UTC

Well if you want to actually secure your code, you need to encrypt it. Which means you need to have secure methods for generating and storing keys. This adds a lot of complexity.

And if the database is on a customer site, they've got access to ciphertext. So they could attempt to decrypt it if they wanted to.

If you're really concerned about this, don't install at the customer's site! Instead, find a way to provide trials over the web. That way the database is hidden from them, making this discussion moot.
more

Connor and Chris don't just spend all day on AskTOM. You can also catch regular content via Connor's blog and Chris's blog. Or if video is more your thing, check out Connor's latest video and Chris's latest video from their Youtube channels. And of course, keep up to date with AskTOM via the official twitter account.

More to Explore

PL/SQL demos

Check out more PL/SQL tutorials on our LiveSQL tool.

PL/SQL docs

PL/SQL reference manual from the Oracle documentation library