All geek questions in one place

Hide statements from SQL Server Profiler (or other observers)

In SQL Server 2008 R2, I would like to execute a statement that I want to be invisible to SQL Profiler or other ways to monitor user queries. Is there a way to control what is displayed by the SQL profiler?

I would like to do something like:

SELECT 'MyPassword' INTO #passwordTable

I do not want to show "MyPassword" through SQL Server Profiler or in other ways. Any ideas?

+4
source share
5 answers

Essentially not, you cannot. You could do this by adding a comment to this post in a package or instruction:

 -- sp_password

But that doesn't work anymore. Why don't you hash your password?

+9
source

Well, you must be the server administrator to run SQL Profiler, so even if you can prevent him from seeing this command, the user can just play in the password table. Ideally, you will store password hashes rather than passwords, making any browsing from the profiler useless.

If you really want to try so that the profiler does not see these statements, you can try a third-party tool like this: http://www.dbdefence.com/support/dbdefence-documentation/

I have no idea if this works, or how authoritative this company is.

+1
source

Denis, Aaron is right, there is nothing like an “invisible statement”, you cannot configure SQL Profiler to NOT show instructions: once on board you can see all the statements running in the database.

You need to obfuscate this reasonable data before sending it to the database. There are some confusing methods (one-way hash, symmetric algorithms, home methods), you need to choose a more suitable method for your needs and implement it. Unfortunately, in your case there is no free lunch ...

+1
source

I saw a product called DBDefence. It completely hides SQL statements from the profiler. I don’t know how they do it. I use the free version because I have a small database.

In earlier versions of SQL Server, you could add the comment --sp_password but not in SQL Server 2008 or later.

+1
source

I do not see the point. If you can view the query using the SQL profiler, it can access the database to view the actual data.

The key is not to store sensitive data (such as passwords) in clear text.

Preventing the use of the SQL profiler will result in the proper security configuration being applied to your SQL Server.

0
source

Source: https://habr.com/ru/post/1433886/

More articles:


All Articles