May 23, 2011 at 1:16 am
Hi,
A couple of senior analysts posed me a bit of a different question. One of the packages they developed using SQL as a backend has had some interest expressed from a major telco. This telco has offered a price for this solution (it is highly specialised in the data analytics area) and our firm is more than happy with this.
However we do not want to give this telco our IP. The question is this:
Is it possible for a user to Execute a stored procedure but not view what the code in that stored procedure is?
My initial reaction was no but there may be a slight workaround. Any advice would be appreciated.
Thanks
May 23, 2011 at 1:51 am
You can create the stored procedure with encryption and then grant execute permissions on the proc. http://msdn.microsoft.com/en-us/library/ms187926.aspx[/URL]
MCT
MCITP Database Admin 2008
MCITP Database Admin 2008
MCITP Database Dev 2008
www.jnrit.com.au/Blog.aspx
May 23, 2011 at 2:11 am
The encryption offered for Stored Procedures is incredibly trivial to reverse and can barely be called obfuscation.
Even if you could truly encrypt the stored procedure, you can never hide the code that's executing against SQL Server from anyone with appropriate privelages (through profiler traces and DMV's etc.) so the advice I'd give is if you need to protect the logic of the code, host it yourselves and offer the service instead.
May 23, 2011 at 2:58 am
Check VIEW DEFINITION Permission if you have SQL Server 2005 or higher version
Ram
MSSQL DBA
May 24, 2011 at 9:12 pm
Thanks for the advice. Turns out that the telco already made a payment to us and therefore hosting the solution and just providing the service to them is not an option.
We have decided to use ENCRYPT in the procs and functions. I have made people aware that is it far from a fool proof solution and any DBA worth his money will be able to get around the restriction easily. Management's opinion is that some encryption is better than none.
May 25, 2011 at 6:35 pm
mpartridge (5/24/2011)
Thanks for the advice. Turns out that the telco already made a payment to us and therefore hosting the solution and just providing the service to them is not an option.We have decided to use ENCRYPT in the procs and functions. I have made people aware that is it far from a fool proof solution and any DBA worth his money will be able to get around the restriction easily. Management's opinion is that some encryption is better than none.
Agreed but there's nothing better than a solid contract that says they cannot resell this in any way (have a lawer draft this up).
So IF they screw you over you have a case in court. Like it's been said, there's nothing really you can do to protect yourself from them seeing the code (if this is really what they are after, hopefully it's not the case).
Viewing 6 posts - 1 through 5 (of 5 total)
You must be logged in to reply to this topic. Login to reply