How to Encrypt Stored Procedure

Question

We can precompile our (ASP.NET) websites and can publish only the IL code, so that the source code is not available to the customer.

But how do we do it for stored procedures written in SQL Server. I mean, when we give the customer the DB, he could see all my stored procedures and can modify the same... How could I protect it.

Thanks

Raja

Answer 1

An old problem. Here are a few answers I've picked up here and there:

• Encrypt the stored procedures. As has already been pointed out twice, this doesn't really work, as 5 minutes of Googling will find several hacks.

• Write the stored procedures as CLR procedures. Harder to hack than "regular" stored procedures, probably a lot more effort to produce and support.

• Submit all queries dynamically from your compiled IL code. I understand it can be done reasonably secure from SQL injection attack, but make darn sure before you release. (Maybe use Linq to do this?)

• Convert all database object names (tables, columns, procedures) to guids or random gibberish. They could read it, but that wouldn't help much.

• I am not totally conversant on encryption within SQL 2005 and up. I really don't think you can use it on code-based objects (procedures, functions, etc.), but maybe you can?

But by and large, once you give a copy of your database to someone with SysAdmin rights, they can do pretty much anything they want with it.

Answer 2

use WITH ENCRYPTION

example

CREATE PROCEDURE prTest
WITH ENCRYPTION
AS
SELECT GETDATE()

Keep in mind that it can be cracked and also make sure you have the unencrypted source code backed up

Answer 3

CREATE PROCEDURE ... WITH ENCRYPTION

但是请注意，这种加密实际上更像是混淆，如果确定您的供应商，有几种方法可以绕过它，包括DAC连接，一些第三方产品（包括RedGate SQL Prompt）以及可以在网上轻松找到的代码示例。