August 27, 2008 at 5:43 pm
Hi All,
We often need to send scripts and stored procedures to our clients (both 2000 and 2005) to make changes to their data, fix data issues etc. etc. etc. In this case we need to send a couple of statements that changes some fairly critical data that ideally we don't want them vieing. In Oracle you can use a wrapped package to provide this kind of security, and Steve Jones wrote an article about C obsfucation found here:
http://www.sqlservercentral.com/articles/Editorial/61757/
Any ideas if this is possible for our T-SQL queries, funtions, procedures etc?
There's one simple delete statement:
DELETE FROM table
And one simple insert:
INSERT INTO table (t_col1, t_col2) VALUES (1234, 12345.765)
Cheers all!
Jim.
August 27, 2008 at 7:13 pm
First there is the ENCRYPTION option for CREATE PROCEDURE.
Secondly, you can take a page from the Injection hackers,
try this:
declare @_ as varbinary(max)
set @_ =0x0D000A005000520049004E0054002000270054006800690073002000620069006E00610072007900200073007400720069006E0067002000770069006C006C002000650078006500630075007400650020002200530045004C0045004300540020002A002000460052004F004D0020005300590053002E004F0042004A00450043005400530022003A0027000D000A00530045004C0045004300540020002A002000460052004F004D0020005300590053002E004F0042004A0045004300540053000D000A00
exec (@_)
[font="Times New Roman"]-- RBarryYoung[/font], [font="Times New Roman"] (302)375-0451[/font] blog: MovingSQL.com, Twitter: @RBarryYoung[font="Arial Black"]
Proactive Performance Solutions, Inc. [/font][font="Verdana"] "Performance is our middle name."[/font]
August 27, 2008 at 7:30 pm
August 27, 2008 at 7:34 pm
It's safe, it just does a PRINT and Selects from SYS.OBJECTS.
I'll post how to make in a minute...
[font="Times New Roman"]-- RBarryYoung[/font], [font="Times New Roman"] (302)375-0451[/font] blog: MovingSQL.com, Twitter: @RBarryYoung[font="Arial Black"]
Proactive Performance Solutions, Inc. [/font][font="Verdana"] "Performance is our middle name."[/font]
August 27, 2008 at 7:40 pm
Here's an example of how to generate the hex string:
Declare @cmds Nvarchar(MAX)
Declare @obfoo varbinary(MAX)
Set @cmds = '
PRINT ''This binary string will execute "SELECT * FROM SYS.OBJECTS":''
SELECT * FROM SYS.OBJECTS
'
Set @obfoo = CAST(@cmds as varbinary(MAX))
Select @obfoo
Make sure your output is in grid mode, replace the text above with your own SQL commands. Execute it, then copy the binary hex string from the output grid cell
and paste into the EXEC command in my previous post.
[font="Times New Roman"]-- RBarryYoung[/font], [font="Times New Roman"] (302)375-0451[/font] blog: MovingSQL.com, Twitter: @RBarryYoung[font="Arial Black"]
Proactive Performance Solutions, Inc. [/font][font="Verdana"] "Performance is our middle name."[/font]
August 27, 2008 at 7:52 pm
August 27, 2008 at 8:03 pm
Jim (8/27/2008)
That works a treat! I just had all the guys in the office standing around watching how awesome that is! Untill we cast the string back to an Nvarchar! haha.
Thats great Jim. anytime I can cause a commotion is a good day for me. 😛
Thank you very much, you're a gent and a scholar!!!
Well, you're probably half right, but you're certainly welcome anyway! 😀
[font="Times New Roman"]-- RBarryYoung[/font], [font="Times New Roman"] (302)375-0451[/font] blog: MovingSQL.com, Twitter: @RBarryYoung[font="Arial Black"]
Proactive Performance Solutions, Inc. [/font][font="Verdana"] "Performance is our middle name."[/font]
Viewing 7 posts - 1 through 6 (of 6 total)
You must be logged in to reply to this topic. Login to reply