| Author |
 Topic  |
|
nr
SQLTeam MVY
United Kingdom
12543 Posts |
 Posted - 11/16/2007 : 07:44:41
|
Create a new database. Don't allow users permission on that database. Create your SP in that database accessing the other database using the qualified name for the objects.
That means the users won't be able to see anything in your database but you can access the other database if you run it as sysadmin or a user with permissions.
==========================================
Cursors are useful if you don't know sql.
DTS can be used in a similar way.
Beer is not cold and it isn't fizzy. |
 |
|
|
Merkin
Funky Drop Bear Fearing SQL Dude!
Australia
4970 Posts |
Posted - 11/16/2007 : 07:46:46
|
quote:
Originally posted by nr
Create a new database. Don't allow users permission on that database. Create your SP in that database accessing the other database using the qualified name for the objects.
That means the users won't be able to see anything in your database but you can access the other database if you run it as sysadmin or a user with permissions.
Now that is extreme!
Damian
"A foolish consistency is the hobgoblin of little minds." - Emerson |
|
|
|
Merkin
Funky Drop Bear Fearing SQL Dude!
Australia
4970 Posts |
Posted - 11/16/2007 : 07:48:50
|
How apt.
Todays Dilbert
Damian
"A foolish consistency is the hobgoblin of little minds." - Emerson |
|
|
|
nr
SQLTeam MVY
United Kingdom
12543 Posts |
Posted - 11/16/2007 : 08:23:33
|
Steps to produce system
1. Ask the users what they want
2. prodcue what the users say they want
3. Deliver to the users
4. Users say that's not what they want.
1...
Not if we could just get rid of step 4. things woukd runn a lot more smoothly and be much more fun.
==========================================
Cursors are useful if you don't know sql.
DTS can be used in a similar way.
Beer is not cold and it isn't fizzy. |
|
|
|
jezemine
Flowing Fount of Yak Knowledge
USA
2871 Posts |
Posted - 11/16/2007 : 09:37:46
|
sounds to me like the guy is trying to create a back door, or perhaps an easter egg.
elsasoft.org |
Edited by - jezemine on 11/16/2007 09:50:12 |
|
|
|
X002548
Not Just a Number
15586 Posts |
|
|
Van
Constraint Violating Yak Guru
456 Posts |
Posted - 11/19/2007 : 11:38:17
|
quote:
Originally posted by dataguru1971
I can only imagine what highly secretive task is being completed by a procedure that must be kept secret from everyone else--especially a co-developer.
The only reason for such secrecy is more suspect than allowing users to see it. Does it store the bonus plan calculations or something?
There really is no way to do it AND keep the procedure stored on the server.
Poor planning on your part does not constitute an emergency on my part.
Ever saw the movie "Office Space"? |
|
|
|
spirit1
Cybernetic Yak Master
Slovenia
11741 Posts |
|
|
DonAtWork
Flowing Fount of Yak Knowledge
2111 Posts |
|
|
jezemine
Flowing Fount of Yak Knowledge
USA
2871 Posts |
Posted - 11/19/2007 : 12:52:22
|
why hide the name? because you don't want to announce the presence of a back door, of course!
elsasoft.org |
|
|
|
spirit1
Cybernetic Yak Master
Slovenia
11741 Posts |
|
|
X002548
Not Just a Number
15586 Posts |
|
|
Michael Valentine Jones
Yak DBA Kernel (pronounced Colonel)
USA
6997 Posts |
Posted - 11/19/2007 : 14:18:40
|
create proc dbo.[ ]
as select [Empty] = 'Proc with empty name'
go
[ ]
go
drop proc dbo.[ ]
Results:
Empty
--------------------
Proc with empty name
(1 row(s) affected)
CODO ERGO SUM |
|
|
|
jonasalbert20
Constraint Violating Yak Guru
Philippines
300 Posts |
Posted - 11/19/2007 : 23:29:28
|
quote:
Originally posted by spirit1
he's a back door kind of a man 
_______________________________________________
Causing trouble since 1980
blog: http://weblogs.sqlteam.com/mladenp
SSMS Add-in that does a few things: www.ssmstoolspack.com
This might sounds like a back door job. But it's the owner who instructed me to do so.
quote:
Originally posted by Michael Valentine Jones
create proc dbo.[ ]
as select [Empty] = 'Proc with empty name'
go
[ ]
go
drop proc dbo.[ ]
Results:
Empty
--------------------
Proc with empty name
(1 row(s) affected)
CODO ERGO SUM
This might a little bit interesting. but still you can see the blank name.
For fast result follow this...
http://weblogs.sqlteam.com/brettk/archive/2005/05/25.aspx
Want Philippines to become 1st World COuntry? Go for World War 3... |
|
|
|
khtan
In (Som, Ni, Yak)
Singapore
16746 Posts |
Posted - 11/19/2007 : 23:43:14
|
yeah you are right. That might be too obvious.
Better just create the stored procedure as [this-is-not-a-secret-stored-procedure]
KH
Time is always against us
|
|
|
|
jezemine
Flowing Fount of Yak Knowledge
USA
2871 Posts |
Posted - 11/20/2007 : 01:21:28
|
if you like the [ ] concept, you'll love this
perhaps your procs could be extended stored procedures implemented by a whitespace program.
there's nothing more fun than a code review of a whitespace program. insist the reviewers bring printouts to the meeting.
elsasoft.org |
|
|
|
X002548
Not Just a Number
15586 Posts |
|
|
Van
Constraint Violating Yak Guru
456 Posts |
Posted - 11/20/2007 : 16:08:02
|
| Hmmm, so the boss and a dba/programmer are in on it. So if they get caught, the dba/programmer is covered...just doing what the boss told him to do. Is your company's name Enron? |
|
|
|
Vinnie881
Flowing Fount of Yak Knowledge
USA
1202 Posts |
Posted - 11/20/2007 : 19:00:45
|
Here's the answer.
You can not create a hidden procedure -
If for some unknown reason this is imperative to achieve, then Khatan has provided the best solution for this of creating the procedure on the fly then drop it post the completion.
Another solution is to encode the name of your procedure using a encryption type of your choosing, it is not human readable.
Why you would need this is not clear, you are really only creating a false security. An administrator will always be able to view what is going on in sql via traces, and system processes.
Maybe you should take a break from your extreme programming and read a book on how to secure SQL Server. What you want to do is not how SQL is designed.
|
|
|
|
jonasalbert20
Constraint Violating Yak Guru
Philippines
300 Posts |
Posted - 11/20/2007 : 20:09:28
|
At first, I know it's impossible for stored procedure (to hide/make it invisible). Just curious if somebody could make it impossible to hide.
Here's what i did...
We had a total of 336 stored procedure on our accounting database. My boss which is the OWNER of the company specifically told me to secure the accounting database particularly calculations. Well, its me who only been trusted by the OWNER. At first, I encrypted all of the stored procedures. Second, I put permissions on all. Third, jezemine whitespace could be a big help for divert tactics. I created 30 of those and all are dummies. Hey! though sounds funny but that would somehow do much help. Fourth, naming convention for confidential stored procedures almost similar to existing procedures, this are naming convention not associated for their specific function or operation, just like khtan "[this-is-not-a-secret-stored-procedure]" At some point they will be having a hard time to analyze everything.
For fast result follow this...
http://weblogs.sqlteam.com/brettk/archive/2005/05/25.aspx
Want Philippines to become 1st World COuntry? Go for World War 3... |
|
|
|
Topic |
|
Hide stored procedure
