Reputation: 32602
Encrypted query in sql server
I want to execute a query in our client's server using remove access. If I execute a query something like this Update abc set col1=12 where id = 2 they will understand what we are doing. So I want some method for encryption and decryption like this:
In our server I encrypt a query like this:
encrypt(Update abc set col1=12 where id = 2)
So I get output like:
0x0100CF465B7B12625EF019E157120D58DD46569AC7BF4118455D12625EF019E157120D58DD46569AC7BF4118455D
And I execute a this encrypted query on client's machine like this:
decrypt(0x0100CF465B7B12625EF019E157120D58DD46569AC7BF4118455D12625EF019E157120D58DD46569AC7BF4118455D)
So our client can't understand what we have executed.
Upvotes: 1
Views: 12797
Answers (3)
Reputation: 5038
In my opinion, With Encryption is generally counter-productive as there are a number of Sql Server decryption tools. ie dbForge's DB Decryptor. I just used this to decrypt a database's T-SQL, so I could export DACPAC's and BACPAC's for use in Azure DevOps automated deployments. With Encryption causes DACPAC and BACPAC exports to fail. This means, if you implement With Encryption you cannot use DACPAC to create update scripts for DB Patches or direct updates, you cannot use Visual Studio Sql Server Tools projects, which makes DB development harder. You have not secured anything, just made it harder for Dev's and Op's to do their jobs.
Upvotes: 0
Reputation: 1
The only way I have found to ensure that no one can view your queries is to put them in a function or procedure using 'with encryption'. Run the below code to see for yourself. Dynamic SQL suggested in the earlier answer doesn't fully solve your problem.
create procedure dbo.dummy_drop_me with encryption as select t.* from sys.dm_exec_requests r cross apply sys.dm_exec_sql_text (r.sql_handle) t where r.session_id = @@spid
go
exec dbo.dummy_drop_me
go
select t.* from sys.dm_exec_requests r cross apply sys.dm_exec_sql_text (r.sql_handle) t where r.session_id = @@spid
go
exec ('select t.* from sys.dm_exec_requests r cross apply sys.dm_exec_sql_text (r.sql_handle) t where r.session_id = @@spid')
The only way I have found to keep someone from capturing your functions and procedures is to create them in their own database on a server where no one has access. Then, attach a copy of the database to the servers where you need them.
Upvotes: 0
Reputation: 24046
you can create a simple decrypt function like this..
create proc exec_decrypt(@sql_str varbinary(8000))
as
begin
declare @qry varchar(8000);
select @qry=cast(@sql_str as varchar(8000));
exec(@qry);
end
which accepts a varbinary string and converts to varchar and then execute it..
You can generate the encrypted query by using the satament below
select CAST('UPDATE users set name =''alex''' as varbinary(8000))
then execute the proc exec_decrypt in client place by passing the output of the above query as the parameter for the procedure..
Ex: exec_decrypt 0x55504441544520757365727320736574206E616D65203D27616C657827
Hope this will work for you.. Please note that client should not have any permission on the proc exec_decrypt
Upvotes: 1
Related Questions
- SQL Encrypted Columns in WHERE Clause
- How do I encrypt SQL Server data in application level and still be able to query it with LIKE?
- How to Encrypt Column Data in SQL?
- Encrypt query string in SQL possible?
- encryption in sql server
- Querying encrypted values in database
- SQL Server encrypting data
- Encrypting columns in SQL Server
- encrypt column in the table
- SQL - Encrypt a Column of Data