How to obfuscate SQL Sprocs?

Question

How to obfuscate SQL Sprocs?

Is there a way to hide / protect / obfuscate MS SQL stored procedures?

+7

sql stored-procedures obfuscation

user32183 Jan 7 '09 at 16:03

source share

10 answers

Galwegian · Answer 1 · 2009-01-07T16:06:57+0000

I can vaguely understand the obfuscation code if it is extremely advanced in what it does, but I think that obfuscating your SQL may not be worth the trouble.

Anyway, many of the SQL I've seen here gets confused as standard.

Chris farmer · Answer 2 · 2009-01-07T16:09:45+0000

If you have to hide it, what about the WITH WITH ENCRYPTION clause?

http://blog.sqlauthority.com/2007/07/01/sql-server-explanation-of-with-encryption-clause-for-stored-procedure-and-user-defined-functions/

Jeremy · Answer 3 · 2009-01-07T16:10:32+0000

See the ENCRYPTION parameter for the CREATE PROCEDURE statement.

http://msdn.microsoft.com/en-us/library/ms187926.aspx

Matt rogish · Answer 4 · 2009-01-07T16:20:21+0000

Not. At least not in a way that was impossible. SQL Server 2000 "With ENCRYPTION" can be undone to get the source code. Pseudocode and T-SQL script that illustrates this: http://education.sqlfarms.com/education/ShowPost.aspx?PostID=783

Note. I have not tried it with SQL 2005 or higher, but I assume that it is also vulnerable. According to MSDN docs:

ENCRYPTION Indicates that SQL Server will convert the source code of the CREATE PROCEDURE statement to obfuscated format.

Emphasis on mine.

jason saldo · Answer 5 · 2009-01-07T16:46:43+0000

Easily reversible if you know, but scare most people picking code. hex encodes your sproc logic and then executes with EXEC (@hexEncodedString).
see this post .

Kev · Answer 6 · 2009-01-07T16:12:05+0000

When creating a stored procedure, you can use the ENCRYPTION clause.

This will rely on not leaving the original SQL on the client machine.

See here for more details:

http://msdn.microsoft.com/en-us/library/ms187926(SQL.90).aspx

Jon galloway · Answer 7 · 2009-01-07T16:27:20+0000

One option is to place only the sensitive parts of the stored procedure in the CLR stored procedure and obfuscate the assembly using a professional obfuscation product.

http://msdn.microsoft.com/en-us/library/ms131094.aspx

InbetweenWeekends · Answer 8 · 2016-03-18T14:24:15+0000

Old post, I know. But I came from the search "Why should I mess up SQL?" I just installed a free product called ApexSQL Refactor (without affiliation) that offers an obfuscation component.

It offers several different options to make it easier to read your code. I was not sure why I needed such a function, as others noted the possibility of encrypting your stored procedures. In any case, this is an example of the output that it can return from the obfuscation function.

CrEAtE Procedure spInsertOrUpdateProduct @ProductNumber nVarChar(25), @ListPrice Money aS IF exIsTS(selECt * FROm Production.Product WHere ProductNumber=@ProductNumber AnD ListPrice>1000) uPdatE Production. Product sET ListPrice=(ListPrice-100) where ProductNumber= @ProductNumber elsE INSerT intO Production.Product(ProductNumber, ListPrice) SelECT @ProductNumber,@ListPrice GO SElEct * fRoM Production.Product gO iNsERT iNTo Production.UnitMeasure( UnitMeasureCode,Name,ModifiedDate) vAlUeS(N'FT2',N'Square Feet', '20080923'); Go

S. Lott · Answer 9 · 2009-01-07T16:08:26+0000

You can always write regular code in C # (or VB) and save it outside the database in a DLL.

Then you need not worry about obfuscating your SQL.

regex · Answer 10 · 2009-01-07T16:11:25+0000

If you are really worried that someone gets into the database and sees the source of the procedure, then, as S. Lott said, you can transfer the procedure to C #. I would recommend LINQ.

However, the database itself should probably be protected from people accessing the code for procedures that should not be. You can restrict user or group rights to only have EXECUTE access to proc, if necessary.

How to obfuscate SQL Sprocs?

More articles: