All geek questions in one place

Hide SQL in the profiler

How can I make my SQL statements not appear in Profiler? They contain confidential information, and I do not want them to show in the Profile.

Thanks for answers!

+2
source share
3 answers

The profiler can only be started by someone with the appropriate rights, so if your installation is properly protected, you should be fine (no user will be able to profile your application). This is beyond security because the profiler significantly slows down the server.

+3
source

The only way I can do this is to make them stored procedures (the profiler will only show the call), but if the arguments are safe (which is likely) this will not help you (Edit: As indicated in the comments, you can change the profiler configuration to enable this anyway, so that won't help)

Do you think that you do not provide access to people who are forbidden to view data? Access to run the profiler is a fairly high level of access ...

Also, did you consider hashing your data before saving / querying it? Sometimes this will not work, but if we are talking about passwords, then they really should be stored and searched in encrypted form in any case.

+3
source

There is no way. The "text" column in the profiler cannot be removed from use.

You need permissions to run the profiler (sysadmin or GRANT ALTER TRACE ) so that it is not implicit.

Note:

  • sysadmins can decrypt stored procs or add a registration code, regardless of whether they are running proiler
  • physical access requires control, at least in order to stop someone who has stolen a copy of the database.
  • things like sp_password or ALTER LOGIN are not traceable in any way
+3
source

Source: https://habr.com/ru/post/1433889/

More articles:


All Articles