== Why is this an issue?

When data structures (scalar variables, collections, cursors) are declared in the package specification (not within any specific program), they can be referenced directly by any program running in a session with ``++EXECUTE++`` rights to the package.


Instead, declare all package-level data in the package body and provide getter and setter functions in the package specification. Developers can then access the data using these methods and will automatically follow all rules you set upon data modification.


By doing so you can guarantee data integrity, change your data structure implementation, and also track access to those data structures.

=== Noncompliant code example

[source,sql]
----
-- Package specification
CREATE PACKAGE employee AS
   name VARCHAR2(42); -- Non-Compliant
END employee;
/

DROP PACKAGE employee;
----

=== Compliant solution

[source,sql]
----
-- Package specification
CREATE PACKAGE employee AS
   PROCEDURE setName (newName VARCHAR2);
   FUNCTION getName RETURN VARCHAR2;
END employee;
/

-- Package body
CREATE PACKAGE BODY employee AS
   name VARCHAR2(42);

   PROCEDURE setName (newName VARCHAR2) IS
   BEGIN
     name := newName;
   END;

   FUNCTION getName RETURN VARCHAR2 IS
   BEGIN
     RETURN name;
   END;
END employee;
/

DROP PACKAGE BODY employee;

DROP PACKAGE employee;
----

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

Move this variable declaration into a program.


'''
== Comments And Links
(visible only on this page)

include::../comments-and-links.adoc[]

endif::env-github,rspecator-view[]