修改MSSQL中的列名以提高安全性
[英]Mangling column names in MSSQL for security
问题描述
I recently joined a new project where the previous product manager decided to mangle column names in a majority of the tables, from what I hear this was aimed at security/protection of our code since a major part is SQL Stored Procedures. 
我最近加入了一个新项目,以前的产品经理决定修改大多数表中的列名,因为我听说这主要是为了安全/保护我们的代码,因为其中很大一部分是SQL存储过程。
Here's a simple visualization: 这是一个简单的可视化:
+-----------+------------+----+----------+-------+
| C1 | C2 | C3 | C4 | C5 |
+-----------+------------+----+----------+-------+
| John Doe | 11-11-1944 | M | Street 1 | Julie |
+-----------+------------+----+----------+-------+
| Mary Jane | 13-02-1991 | F | Street 2 | null |
+-----------+------------+----+----------+-------+
Somewhere I agree with him that we need to mangle the names, but not when we are developing rather before delivering the product to the customer. 我在某个地方同意他的观点,我们需要修改名称,但在开发产品时而不是在将产品交付给客户之前就不需要。 The application itself is in .NET C#. 应用程序本身在.NET C#中。
First, how can I recover from this? 首先,我该如何恢复? Any strategy or preferably a tool (similar to the lines of uglify for JS)? 有什么策略或最好的工具(类似于JS的uglify线)?
Second, how can I still protect the code (Stored Procedure) after unmangling the names? 其次,在取消命名后如何仍然可以保护代码(存储过程)?
3 个解决方案
解决方案1
4 已采纳 2014-06-27 11:30:39
I have no idea why anyone would think that mangling names would make the system more secure. 我不知道为什么有人会认为修改名称会使系统更安全。 If you want security, then use the database security features. 如果需要安全性,请使用数据库安全性功能。 For instance, don't allow anyone to read the tables directly, require that stored procedures be used. 例如,不允许任何人直接读取表,要求使用存储过程。 Or, encrypt the data itself, so that doesn't get read. 或者,对数据本身进行加密,以免被读取。 Normally, it is the data that is secure, not the names of the columns. 通常,安全的是数据,而不是列的名称。
That said, I don't see how you can get away from the "mangled" names during development. 就是说,我看不出如何在开发过程中摆脱“杂乱无章”的名字。 You could use views that map the mangled names to unmangled names. 您可以使用将错位名称映射到未修改名称的视图。 However, that just means that you have a bunch of code that needs to be changed when the database structure changes. 但是,这仅意味着您有一堆需要在数据库结构更改时更改的代码。 Worse, it means that the original developers will be very confused when they are trying to solve problems after release. 更糟糕的是,这意味着原始开发人员在发布后尝试解决问题时会感到非常困惑。
解决方案2
3 2014-06-27 11:28:51
With Mangling ... do you mean giving meaningful names to columns? 使用Mangling ...您是要为栏指定有意义的名称吗? If yes, then you can create a different table with same schema definition as of your posted table then just do a 如果是,那么您可以创建与已发布表具有相同架构定义的其他表,然后执行
insert into your_new_table
select c1,c2,c3,c4,c5 from
your_mangled_table
how can I still protect the code (Stored Procedure) after unmangling the names
That's won't be possible automatically. 这将不会自动发生。 You will have to ALTER your procedure code to modify the column/table name(s) to reflect the new changes. 您将必须ALTER您的过程代码,以修改列/表名以反映新的更改。
解决方案3
2 2014-06-27 11:35:21
SQL server supports stored procedure encryption. SQL Server支持存储过程加密。 I have never used it so can't comment further but this may help you. 我从未使用过它,因此无法进一步评论,但这可能会对您有所帮助。 http://msdn.microsoft.com/en-gb/library/ms187926.aspx http://msdn.microsoft.com/en-gb/library/ms187926.aspx
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.