In SQL Server 2008 R2, I would like to execute a statement that I want to be invisible to the SQL Profiler or other means of observing user queries. Is there a way to control what is displayed by SQL profiler?
I would like to execute something like:
SELECT 'MyPassword' INTO #passwordTable
I don't want to show 'MyPassword' through SQL Server Profiler or other means. Any ideas?
Essentially, no, you can't. You used to be able to do this by adding a comment like this into the batch or statement:
-- sp_password
But this no longer works. Why aren't you hashing your password?
Well, you have to be a server administrator to run the SQL Profiler, so even if you could prevent it from seeing the command, the user could just go grab the password table anyway. Ideally you would be storing hashes of the passwords rather than the passwords, making any viewing from the profiler useless.
If you really want to try and keep the profiler from seeing the statements, you could try a third party tool like this: http://www.dbdefence.com/support/dbdefence-documentation/
I have no idea if it works though, or how reputable that company is.
Denis, Aaron is correct, there is nothing like an "invisible statement", you can't tweak SQL Profiler to NOT show statements: once aboard, one can see all statements running in the DB.
You need to obfuscate this sensible data before submitting it to the DB. There are some obfuscated methods available (one-way hash, symmetric algoritms, home-made methods), you need to choose the more suitable method to your needs and implement it. Unfortunatelly, there is no free-lunch to your case...
I have seen a product called DBDefence.
It hides SQL statements from the profiler completely. I do not know how do they do it.
I use free version because I have small database.
In earlier versions of SQL Server it was possible to add a comment --sp_password
but not in SQL Server 2008 and above.
I don't see the point, really. If one is able to view a query with SQL profiler, surely he could access the database to view the actual data.
The key is to not store sensitive data (like passwords) in clear text.
Preventing people to use SQL profiler will come down to applying the proper security configuration on your SQL Server.
Related
I have a database which I didn't make and now I have to work on that database. I have to insert some information, but some information must be saved in not one table but several tables. I
can use the program which have made the database and insert information with that. While I am doing that, I want to see that which tables are updated. I heard that SQL Server Management Studio has a tool or something which make us see changes.
Do you know something like that? If you don't, how can I see changes on the database's tables? If you don't understand my question, please ask what I mean. Thanks
Edit : Yes absolutely Sql Profiler is what I want but I am using SQL Server 2008 R2 Express and in Express edition, Sql Profiler tool does not exist in Tools menu option. Now I am looking for how to add it.
Edit 2 : Thank you all especially #SchmitzIT for his pictured answer. I upgraded my SQL Server Management Studio from 2008 R2 express edition to 2012 Web Developer Edition. SQL Profiller Trace definitely works.
I agree with #Lmu92. SQL Server Profiler is what you want.
From SQL Server Management Studio, click on the "Tools" menu option, and then select to use "SQL SErver Profiler" to launch the tool. The profier will allow you to see statements executed against the database in real time, along with statistics on these statements (time spent handling the request, as well as stats on the impact of a statement on the server itself).
The statistics can be a real help when you're troubleshooting performance, as it can help you identify long running queries, or queries that have a significant impact on your disk system.
On a busy database, you might end up seeing a lot of information zip by, so the key to figuring out what's happening behind the scenes is to ensure that you implement proper filtering on the events.
To do so, after you connect Profiler to your server, in the "Trace properties" screen, click the "Events Selection" tab:
You probably are good to uncheck the boxes in front of the "Audit" columns, as they are not relevant for your specific issue. However, the important bit on this screen is the "Column filters" button:
This is where you will be able to implement filters that only show you the data you want to see. You can, for instance, add a filter to the "ApplicationName", to ensure you only see events generated by an application with the name you specify. Simply click on the "+" sign next to "Like", and you will be able to fill in an application name in the textbox.
You can choose to add additional filters if you want (like "NTUsername" to filter by AD username, or "LoginName" for an SQL Server user.
Once you are satisfied with the results, click "OK", and you will hopefully start seeing some results. Then you can simply use the app to perform the task you want while the profiler trace runs, and stop it once you are done.
You can then scroll through the collected data to see what exactly it has been doing to your database. Results can also be stored as a table for easy querying.
Hope this helps.
Although you describe in your question what you want, you don't explain why you want it. This would be helpful to properly answer your question.
ExpressProfiler is a free profiler that might meet your needs.
If you're looking to track DDL changes to your database, rather than all queries made against it, you might find SQL Lighthouse useful, once it is released in Beta shortly.
Disclosure: I work for Red Gate.
Do you know something like that? If you don't, how can I see changes
on the database's tables? If you don't understand my question, please
ask what I mean. Thanks
Red gate makes a lot of great tools. You can always make a database comparison. That will require that you make a backup, then doing whatever you want to do, and the compare the two databases, there is a free trial, works perfect to compare which tables has changed (deleted/inserted and modified)
http://www.red-gate.com/products/sql-development/sql-data-compare/
what you might maybe be looking for is "SQL Server Profiler". It's a SQL monitor where you can see all the SQL queries running real time.
http://technet.microsoft.com/en-us/library/aa173918(v=sql.80).aspx
Hope that helps you.
As far as I know SQL Profiler tool is not included in the Express edition of SQL Server (only Developer edition contains it). Maybe you can purchase it separately.
If you want you can try this https://sites.google.com/site/sqlprofiler/ free tool for profiling. Maybe it has limitations, but it you can check it.
There are also some profiling tools for integration with Visual studio, and also the ReSharper has InteliTrace (if you are using the tool at all).
Cheers.
I had a program using SQLconnector to connect to MS SQL 2012, I want know SQL query execution time. I am aware there is a SQL Server Profiler, but I can't configure it correctly to capture any query execution time. I am also aware that I can add timer within program but i can not change code easily.
All advice welcome. thanks
AFAIK SQLConnector is for MySQL, so I don't understand how you can work with SQLServer 2012.
If you need profiling in SQLServer - there is nothing better than SQL Server Profiler.
I can't configure it correctly to capture any query execution time
It must be easy:
Event Selecion - you need SQL:Stmt Completed (uncheck everything else). You need to select duration.
Column Filters - create filter by Login Name (make special login if you need it), TextData, Spid (if you can figure out how to obtain it)
This is not supported by default but you can do this using several techniques depending on what are your needs.
Do you need to capture every statement including SELECT? If yes then I suggest you still use SQL Server Profiler or SQL Server Traces
If you only need to capture DML statements (excluding SELECT) you can try setting up triggers on tables you want to audit.
There are also DDL triggers that can help you catch DDL statements (as far as I know there is no way to capture all DDL statements using DDL triggers).
So, there are many options here but it all depends on what are your needs.
How can I move a db from one server to another (I only have access to the database with mylittleadmin). Like the title says, I guess the "easiest" way would be by generating SQL with a stored procedure.
I'm using SQL Server 2008 on both servers.
In the codeplex project Extreme T-SQL Script I have written T-SQL procedures to script the content of tables. I just abandoned its use myself in favor of ssms tools pack, but the later is no option for you.
When using these procedures in SSMS or VS the main problem is that Microsoft has limits on max column width and max length of output from Print-Statements.
I can't predict, which such limits exist when using mylittleadmin.
It depends on which datatypes and which varchar length you are using. Writing scripts that handle special needs is possible.
Further you need something to script the database objects first and it might be difficult to find something for that, as most people just use SSMS for this purpose. sp_helptext might help to script procedures.
In SSMS, you have the ability to copy or move a database from one instance of SQL Server to another. You can right-click on the database in SSMS, choose Tasks and then Copy Database...
Or, of course, you can simply backup the DB and restore on your target server.
(I have no idea what 'myLitleAdmin' is that you referred to)
You dont need to make a stored procedure. The easiest way to do it is by right click on your database -->task-->back up and create a backup.
after that you can restore your database on the other server.
If you have a license for myLittleAdmin then do as their web states. It says
"Purchasing a license gives you unlimited mail support.
Send your request at support#mylittletools.net"
Actually I found out that you could make a backup of the database in myLittleAdmin. The resulting .bak file was then emailed to me as a link.
Thanks for the comments though, voted up some of them :)
I need to encrypt whole databse, not any specific column in the database. This should be done in SQL 2008 or in SQL 2008 Express edition
If any one can, do favour for this
Check this might help you to achive your task :
Understanding Transparent Data Encryption
Using Transparent Data Encryption in SQL Server 2008
Depending on your needs, something like TrueCrypt might do the trick, where you store your data files on an encrypted share. I've never tried it, but I would expect it to work - but some quick Googling shows that people have had problems with it. So if you try this, proceed with caution.
In a project of mine the SQL statements that are executed against a SQL Server are failing for some unknown reason. Some of the code is already used in production so debugging it is not an easy task. Therefore I need a way to see in the database itself what SQL statements are used, as the statements are generated at runtime by the project and could be flawed when certain conditions are met.
I therefore considered the possibility to monitor the incoming statements and check myself if I see any flaws.
The database is running on a SQL Server 2005, and I use SQL server management studio express as primary tool to manipulate the database. So my question is, what is the best way to do this?
Seeing how you use the Management Studio Express, I will assume you don't have access to the MSSQL 2005 client tools. If you do, install those, because it includes the SQL profiler which does exactly what you want (and more!). For more info about that one, see msdn.
I found this a while ago, because I was thinking about the exact same thing. I have access to the client tools myself, so I don't really need to yet, but that access is not unlimited (it's through my current job). If you try it out, let me know if it works ;-)
Best way is to fire up profiler, start a trace, save the trace and then rerun the statements