mod_plsql and EPG (DBMS_EPG) provide two way to deal with that:
the DAD proprieties:
PlsqlExclusionList (in EPG it's exclusion-list) - allow to specify a Blacklist of procedure name. It's default varies with versions but normally it's
sys.*, dbms_*, utl_*,owa_*,owa.*,htp.*,htf.*,wpg_docload.*
That mean for instance that any call with call name like utl_* cannot be accessed.
Be advised that in some clients the configuration can be other and maybe your "web packages that always work" could get an access error message!
PlsqlRequestValidationFunction (in EPG it's request-validation-function) – allow the specification of a function that will provide (more) blacklisting or whitelisting. The function must have a spec like the following (the name of the function is the only one that can change)
function <function_name> (procedure_name IN varchar2) return boolean
If the return is TRUE then the access is allowed else access is not allowed and the client with get and HTTP Forbidden message.
An example of a whitelisting. You have a table my_pages with all the procedure names (in column name)that can be called by the web (It's the best practice because the programmer must have explicit put there the procedure name for it to be allowed)
FUNCTION my_validation_check (procedure_name IN VARCHAR2) RETURN BOOLEAN IS li_check PLS_INTEGER; BEGIN SELECT 1 INTO li_check FROM my_pages WHERE name = UPPER (procedure_name); RETURN TRUE; EXCEPTION WHEN NO_DATA_FOUND THEN RETURN FALSE; END my_validation_check;
Other gateways have similar options and some even more options (like whitelist in the DAD configuration).
Good and secure codding!