Oracle DBMS_SQL_FIREWALL
Version 26ai

General Information
Library Note Morgan's Library Page Header
The best Oracle News for FY2026

Oracle Database 26ai is now availble. If you haven't you downloaded already: Why?
Purpose Creates a PL/SQL admin packages for database firewall.

According to the Beta docs prevents SQL Injection attacks: I am far from confident that the author understands what a SQL Injection attack actually is.
AUTHID CURRENT_USER
Constants
Name Data Type Value
 Log Types
CAPTURE_LOG NUMBER 1
VIOLATION_LOG NUMBER 2
ALL_LOGS NUMBER 3
 Feature Supported in the Exclude/Include API
SCHEDULER_JOB NUMBER 1
 Add/Delete Context Types
OS_PROGRAM NUMBER 1
OS_USERNAME NUMBER 2
IP_ADDRESS NUMBER 3
 Enforce options for Enable Allow List and Update Allow List Enforcement
ENFORCE_CONTEXT NUMBER 1
ENFORCE_SQL NUMBER 2
ENFORCE_ALL NUMBER 3
Dependencies
KZFW$ADM_LIBT    
Documented Yes: Packages and Types Reference
Exceptions
Error Code Reason
ORA-47605 SQL Firewall violation
ORA-47626 SQL Firewall capture for user has been started
First Available 23ai
Pragmas None
Security Model Owned by SYS with EXECUTE granted to the SQL_FIREWALL_ADMIN role.
Source {ORACLE_HOME}/rdbms/admin/catfwp.sql
{ORACLE_HOME}/rdbms/admin/prvtfwp.plb
Subprograms
ADD_ALLOWED_CONTEXT EXCLUDE
APPEND_ALLOW_LIST EXPORT_ALLOW_LIST
APPEND_ALLOW_LIST_SINGLE_SQL FLUSH_LOGS
CREATE_CAPTURE GENERATE_ALLOW_LIST
DELETE ALLOWED_CONTEXT IMPORT_ALLOW_LIST
DELETE_ALLOWED_SQL INCLUDE
DISABLE MOVE_LOG_TABLES
DISABLE_ALLOW_LIST PURGE_LOG
DROP_ALLOW_LIST START_CAPTURE
DROP_CAPTURE STOP_CAPTURE
ENABLE UPDATE_ALLOW_LIST_ENFORCEMENT
ENABLE_ALLOW_LIST Demo
 
ADD_ALLOWED_CONTEXT (new 23ai)
Add a context to the list of allowed contexts for a user who is configured for SQL Firewall dbms_sql_firewall.add_allowed_context(
username     IN VARCHAR2,
context_type IN NUMBER,
value        IN VARCHAR2);
TBD
 
APPEND_ALLOW_LIST (new 23ai)
Appends additional SQL statements to an existing allow list by using the capture and/or violation logs as the source dbms_sql_firewall.append_allow_list(
username IN VARCHAR2,
source   IN NUMBER);
TBD
 
APPEND_ALLOW_LIST_SINGLE_SQL (new 23ai)
Undocumented. dbms_sql_firewall.append_allow_list_single_sql(
username      IN VARCHAR2,
sql_signature IN VARCHAR2,
current_user  IN VARCHAR2,
top_level     IN VARCHAR2,
source        IN NUMBER   DEFAULT sys.dbms_sql_firewall.violation_log);
TBD
 
CREATE_CAPTURE (new 23ai)
Creates a user SQL Firewall capture for the specified level dbms_sql_firewall.create_capture(
username       IN VARCHAR2,
top_level_only IN BOOLEAN DEFAULT FALSE,
start_capture  IN BOOLEAN DEFAULT TRUE);
See demo at page bottom
 
DELETE ALLOWED_CONTEXT (new 23ai)
Deletes a user assigned context value dbms_sql_firewall.delete_allowed_context(
username     IN VARCHAR2,
context_type IN NUMBER,
value        IN VARCHAR2 DEFAULT NULL);
TBD
 
DELETE ALLOWED_SQL (new 23ai)
Deletes SQL from the allowed list dbms_sql_firewall.delete_allowed_context(
username       IN VARCHAR2,
allowed_sql_id IN NUMBER);
TBD
 
DISABLE (new 23ai)
Disable SQL Firewall dbms_sql_firewall.disable;
exec dbms_sql_firewall.disable;
 
DISABLE_ALLOW_LIST (new 23ai)
Disable SQL Firewall allow-list enforcement for a user dbms_sql_firewall.disable_allow_list(username IN VARCHAR2);
See demo at page bottom
 
DROP_ALLOW_LIST (new 23ai)
Drop a SQL Firewall capture dbms_sql_firewall.drop_allow_list(username IN VARCHAR2);
See demo at page bottom
 
DROP_CAPTURE (new 23ai)
Drop a SQL Firewall capture dbms_sql_firewall.drop_capture(username IN VARCHAR2);
exec dbms_sql_firewall.drop_capture('C##UWCLASS');
 
ENABLE (new 23ai)
Enable SQL Firewall dbms_sql_firewall.enable;
See demo at page bottom
 
ENABLE_ALLOW_LIST (new 23ai)
Enable SQL Firewall allow-list enforcement for a user dbms_sql_firewall.enable_allow_list(
username IN VARCHAR2,
enforce  IN NUMBER  DEFAULT sys.dbms_sql_firewall.enforce_all,
block    IN BOOLEAN DEFAULT FALSE);
TBD
 
EXCLUDE (new 23ai)
Prevent SQL Firewall from capturing/enforcing allow-lists for database connections and SQL executions during Scheduler operations dbms_sql_firewall.exclude(feature IN NUMBER);
TBD
 
EXPORT_ALLOW_LIST (new 23ai)
Export the SQL Firewall allow list dbms_sql_firewall.export_allow_list(
username   IN     VARCHAR2,
allow_list IN OUT CLOB);
TBD
 
FLUSH_LOGS (new 23ai)
Flushes all SQL Firewall logs that reside in memory to disk dbms_sql_firewall.flush_logs;
exec dbms_sql_firewall.flush_logs;

PL/SQL procedure successfully completed.
 
GENERATE_ALLOW_LIST (new 23ai)
Generates a SQL Firewall allow-list for a user from existing user capture logs dbms_sql_firewall.generate_allow_list(username IN VARCHAR2);
exec dbms_sql_firewall.generate_allow_list('C##UWCLASS');

PL/SQL procedure successfully completed.
 
IMPORT_ALLOW_LIST (new 23ai)
Import the SQL Firewall allow list dbms_sql_firewall.import_allow_list(
username   IN VARCHAR22,
allow_list IN CLOB);
TBD
 
INCLUDE (new 23ai)
enables SQL Firewall to capture and enforce allow-lists for database connections and SQL executions during Scheduler operations. dbms_sql_firewall.include(feature IN NUMBER);
TBD
 
MOVE_LOG_TABLES (new 23ai)
Relocate the log tables to the named tablespace dbms_sql_firewall.move_log_tables(tablespace_name IN VARCHAR2);
exec dbms_sql_firewall.move_log_tables('AUDITLOGS_TBSP');

PL/SQL procedure successfully completed.
 
PURGE_LOG (new 23ai)
Purge SQL Firewall logs dbms_sql_firewall.purge_log(
username   IN VARCHAR2                 DEFAULT NULL,
purge_time IN TIMESTAMP WITH TIME ZONE DEFAULT NULL,
log_type   IN NUMBER                   DEFAULT dbms_sql_firewall.all_logs);
TBD
 
START_CAPTURE (new 23ai)
Start SQL Firewall capture for a user dbms_sql_firewall.start_capture(username IN VARCHAR2);
See demo at page bottom
 
STOP_CAPTURE (new 23ai)
Stop SQL Firewall capture for a user dbms_sql_firewall.stop_capture(username IN VARCHAR2);
See demo at page bottom
 
UPDATE_ALLOW_LIST_ENFORCEMENT (new 23ai)
Update SQL Firewall allow-list enforcement options for a user dbms_sql_firewall.update_allow_list_enforcement(
username IN VARCHAR2,
enforce  IN NUMBER  DEFAULT NULL,
block    IN BOOLEAN DEFAULT NULL);
TBD
 
Demo
This demo takes SQL Firewall from initial setup, to capture, to allow list creation through capturing a violation
conn / as sysdba

CREATE USER c##applic
IDENTIFIED BY applic
DEFAULT TABLESPACE users
TEMPORARY TABLESPACE temp
QUOTA 100M ON users
PROFILE DEFAULT;

CREATE TABLE c##applic.credit_cards (
credit_card_number VARCHAR2(19),
expiration_date DATE,
security_code VARCHAR2(4),
available_credit NUMBER);

INSERT INTO c##applic.credit_cards
VALUES ('4123-5678-9012-3456', SYSDATE+30, '359', 5000);

INSERT INTO c##applic.credit_cards
VALUES ('5890-1234-5678-9123', SYSDATE+45, '892', 10000);

INSERT INTO c##applic.credit_cards
VALUES ('6574-3521-8805-7492', SYSDATE+120, '461', 25000);
COMMIT;

GRANT SELECT ON c##applic.credit_cards TO c##exploiter;
CREATE USER c##exploiter
IDENTIFIED BY exploiter
DEFAULT TABLESPACE users
TEMPORARY TABLESPACE temp
QUOTA 100M ON users
PROFILE DEFAULT;

Grant succeeded.
  
conn / as sysdba

exec dbms_sql_firewall.enable;

PL/SQL procedure successfully completed.

-- required if previously created / nightmare material
exec dbms_sql_firewall.disable_allow_list('C##EXPLOITER');
exec dbms_sql_firewall.drop_allow_list('C##EXPLOITER');

PL/SQL procedure successfully completed.

exec dbms_sql_firewall.create_capture('C##EXPLOITER', FALSE, TRUE);

PL/SQL procedure successfully completed.

exec dbms_sql_firewall.start_capture('c##EXPLOITER');
*
ORA-47626: SQL Firewall capture for user C##EXPLOITER has been started.
 
-- connect as the user that will attack the system and let the firewall capture SQL
conn c##exploiter/exploiter

desc c##applic.credit_cards

SELECT COUNT(*) FROM c##applic.credit_cards;

SELECT SUBSTR(credit_card_number, 16, 4) AS FINAL_FOUR FROM c##applic.credit_cards;

ALTER SESSION SET query_rewrite_integrity = TRUSTED;

ALTER SESSION SET query_rewrite_integrity = ENFORCED;
 
-- after the SQL is captured stop the capture process and review capture metadata
conn / as sysdba

exec dbms_sql_firewall.stop_capture('C##EXPLOITER');

PL/SQL procedure successfully completed.

SELECT sql_text FROM dba_sql_firewall_capture_logs;

SQL_TEXT
------------------------------------------------------------------------------------
ALTER SESSION SET QUERY_REWRITE_INTEGRITY=TRUSTED
SELECT SUBSTR (CREDIT_CARD_NUMBER,:"SYS_B_0",:"SYS_B_1") AS FINAL_FOUR FROM C##APPLIC.CREDIT_CARDS
ALTER SESSION SET QUERY_REWRITE_INTEGRITY=ENFORCED
DESCRIBE C##APPLIC.CREDIT_CARDS
SELECT COUNT (*) FROM C##APPLIC.CREDIT_CARDS
SELECT DECODE (USER,:"SYS_B_0",XS_SYS_CONTEXT (:"SYS_B_1",:"SYS_B_2"),USER) FROM SYS.DUAL

SELECT username, command_type, accessed_objects, current_user, top_level, ip_address
FROM dba_sql_firewall_capture_logs;

USERNAME     COMMAND_TYPE  ACCESSED_OBJECTS           CURRENT_USER TOP_LEVEL IP_ADDRESS
------------ ------------- -------------------------- ------------ --------- ----------
C##EXPLOITER ALTER SESSION                            C##EXPLOITER Y         Local
C##EXPLOITER SELECT        "C##APPLIC"."CREDIT_CARDS" C##EXPLOITER Y         Local
C##EXPLOITER ALTER SESSION                            C##EXPLOITER Y         Local
C##EXPLOITER DESCRIBE      "C##APPLIC"."CREDIT_CARDS" C##EXPLOITER Y         Local
C##EXPLOITER SELECT        "C##APPLIC"."CREDIT_CARDS" C##EXPLOITER Y         Local
C##EXPLOITER SELECT        "SYS"."DUAL"               C##EXPLOITER Y         Local
 
conn / as sysdba

exec dbms_sql_firewall.generate_allow_list('C##EXPLOITER');

PL/SQL procedure successfully completed.

SELECT sql_text FROM dba_sql_firewall_allowed_sql;

SQL_TEXT
---------------------------------------------------------------------------------------
ALTER SESSION SET QUERY_REWRITE_INTEGRITY=TRUSTED
SELECT SUBSTR (CREDIT_CARD_NUMBER,:"SYS_B_0",:"SYS_B_1") AS FINAL_FOUR FROM C##APPLIC.CREDIT_CARDS
ALTER SESSION SET QUERY_REWRITE_INTEGRITY=ENFORCED
DESCRIBE C##APPLIC.CREDIT_CARDS
SELECT COUNT (*) FROM C##APPLIC.CREDIT_CARDS
SELECT DECODE (USER,:"SYS_B_0",XS_SYS_CONTEXT (:"SYS_B_1",:"SYS_B_2"),USER) FROM SYS.DUAL

SELECT * FROM dba_sql_firewall_allowed_os_prog;

USERNAME OS_PROGRAM
-------------------- ---------------------------------
C##EXPLOITER sqlplus@localhost.localdomain (TNS V1-V3)
 
SELECT view_name FROM dba_views WHERE view_name LIKE 'DBA_SQL_FIREWALL%' ORDER BY 1;

VIEW_NAME
----------------------------------
DBA_SQL_FIREWALL_ALLOWED_IP_ADDR
DBA_SQL_FIREWALL_ALLOWED_OS_PROG
DBA_SQL_FIREWALL_ALLOWED_OS_USER
DBA_SQL_FIREWALL_ALLOWED_SQL
DBA_SQL_FIREWALL_ALLOW_LISTS
DBA_SQL_FIREWALL_CAPTURES
DBA_SQL_FIREWALL_CAPTURE_LOGS
DBA_SQL_FIREWALL_SESSION_LOGS
DBA_SQL_FIREWALL_SQL_LOGS
DBA_SQL_FIREWALL_STATUS
DBA_SQL_FIREWALL_VIOLATIONS
 
conn / as sysdba

BEGIN
  dbms_advanced_rewrite.declare_rewrite_equivalence(
  'DSF',
  'SELECT SUBSTR(credit_card_number, 16, 4) AS FINAL_FOUR FROM c##applic.credit_cards',
  'SELECT credit_card_number || ''|'' || TO_CHAR(expiration_date) || ''|'' ||
   security_code || ''|'' || TO_CHAR(AVAILABLE_CREDIT) FROM c##applic.credit_cards',
  FALSE,
  'TEXT_MATCH');
END;
/

PL/SQL procedure successfully completed

GRANT alter session TO c##exploiter;

exec dbms_sql_firewall.enable_allow_list('C##EXPLOITER', dbms_sql_firewall.enforce_sql, TRUE);
 
conn c##exploiter/exploiter

desc c##applic.credit_cards

SELECT SUBSTR(credit_card_number, 16, 4) AS FINAL_FOUR FROM c##applic.credit_cards;

FINAL_FOUR
----------------
3456
9123
7492

SELECT expiration_date-1 FROM c##applic.credit_cards;
*
ORA-47605: SQL Firewall violation

Related Topics
Built-in Functions
Built-in Packages
Database Security
DBMS_ASSERT
SQLFW$DATAPUMP
What's New In 21c
What's New In 26ai

Morgan's Library Page Footer
This site is maintained by Daniel Morgan. Last Updated: This site is protected by copyright and trademark laws under U.S. and International law. © 1998-2026 Daniel A. Morgan All Rights Reserved