SQL Profiler - SQL Server Forums

Please start any new threads on our new site at https://forums.sqlteam.com. We've got lots of great SQL Server experts to answer whatever question you can come up with.

All Forums

General SQL Server Forums

New to SQL Server Programming

SQL Profiler

Author

Topic

kid_on_the_block
Posting Yak Master

172 Posts

Posted - 2006-02-28 : 04:09:03

Lets say I have a username & password , I dont want people to see it being passed on to the SQL Server.

What are the ways I can prevent the parameters being passed on .

Thanks,

Regards
Kidddddddddddddddddd

tkizer
Almighty SQL Goddess

38200 Posts

Posted - 2006-02-28 : 13:32:57

Encrypt the data! Passwords should never be passed in clear text.

Tara Kizer
aka tduggan

kid_on_the_block
Posting Yak Master

172 Posts

Posted - 2006-02-28 : 22:31:41

hmmmmmm & do you have some article to encrypt the data

activecrypt
Posting Yak Master

165 Posts

Posted - 2006-02-28 : 23:07:34

HI,
refer http://www.activecrypt.com/sql-server-column-encryption.html and

http://www.xpcrypt.com/why_xpcrypt_sqlshield.pdf

:-)
Regards

Andy Davis
Sql Shield Team
--------------------------------------------
SQL Server Encryption Software
http://www.sql-shield.com

eyechart
Master Smack Fu Yak Hacker

3575 Posts

Posted - 2006-03-01 : 01:48:57

profiler will not show passwords

-ec

eyechart
Master Smack Fu Yak Hacker

3575 Posts

Posted - 2006-03-01 : 01:50:50

quote:
Originally posted by activecrypt

HI,
refer http://www.activecrypt.com/sql-server-column-encryption.html and

http://www.xpcrypt.com/why_xpcrypt_sqlshield.pdf

:-)
Regards

Andy Davis
Sql Shield Team
--------------------------------------------
SQL Server Encryption Software
http://www.sql-shield.com

andy, I appreciate your posting, but why don't you explain how your product would be used in this situation instead of just linking to your product pages and datasheets. That would actually be a little more helpful :)

-ec

tkizer
Almighty SQL Goddess

38200 Posts

Posted - 2006-03-01 : 12:54:56

quote:
Originally posted by eyechart

profiler will not show passwords

-ec

It will if you are using application authentication, meaning the application connects to the database via SQL or Windows authentication, but the users get into the application with custom authentication, which is typically a row in a table.

Tara Kizer
aka tduggan

eyechart
Master Smack Fu Yak Hacker

3575 Posts

Posted - 2006-03-01 : 13:43:55

make a stored procedure with @password as a parameter for your login. SQL Profiler will filter that out and you will never see it. THis is functionality added around SQL2K SP2 I think.

-ec

tkizer
Almighty SQL Goddess

38200 Posts

Posted - 2006-03-01 : 13:50:35

I prefer to just encrypt it.

Tara Kizer
aka tduggan

eyechart
Master Smack Fu Yak Hacker

3575 Posts

Posted - 2006-03-01 : 13:50:44

quote:
Originally posted by eyechart

make a stored procedure with @password as a parameter for your login. SQL Profiler will filter that out and you will never see it. THis is functionality added around SQL2K SP2 I think.

THis is actually a SP4 feature. Some people are not happy with it since Profiler will now filter out any textdata with the word 'password' in it.

Instead, you will see the following:

-- 'password' was found in the text of this event.
-- The text has been replaced with this comment for security reasons.

I'm not sure if it is worth upgrading to SP4 for this feature - but it is an option at least.

-ec

eyechart
Master Smack Fu Yak Hacker

3575 Posts

Posted - 2007-02-23 : 23:07:49

I found a workaround for this 'feature' that involves patching the SQL Server executable.

http://www.andreabertolotto.net/Articles/SP4BlacklistedWordsRemover.aspx

Use this at your own risk. YMMV.

-ec

Subscribe to SQLTeam.com

SQLTeam.com Articles via RSS

SQLTeam.com Weblog via RSS

- Advertisement -

Resources