I have this c# web app that relies heavily on two dll files that i can't see nor edit. The rest of the app is visible and editable.
The app generates SQL exceptions, and i would like to see the queries sent from the DLLs. Is there a way to do that?
You can use SQL Profiler to see the queries that goes to your database.
For SQL Server 2005/2008 Express you can try AnjLab's SQL Profiler.
Another way to see what is running is SP_WHO2 'active' combined with DBCC INPUTBUFFER(SPID) or query the [sys.dm_exec_requests].
The SQL Profiler mentioned above is the preferred method.
Related
In SQL Server 2008 R2, I would like to execute a statement that I want to be invisible to the SQL Profiler or other means of observing user queries. Is there a way to control what is displayed by SQL profiler?
I would like to execute something like:
SELECT 'MyPassword' INTO #passwordTable
I don't want to show 'MyPassword' through SQL Server Profiler or other means. Any ideas?
Essentially, no, you can't. You used to be able to do this by adding a comment like this into the batch or statement:
-- sp_password
But this no longer works. Why aren't you hashing your password?
Well, you have to be a server administrator to run the SQL Profiler, so even if you could prevent it from seeing the command, the user could just go grab the password table anyway. Ideally you would be storing hashes of the passwords rather than the passwords, making any viewing from the profiler useless.
If you really want to try and keep the profiler from seeing the statements, you could try a third party tool like this: http://www.dbdefence.com/support/dbdefence-documentation/
I have no idea if it works though, or how reputable that company is.
Denis, Aaron is correct, there is nothing like an "invisible statement", you can't tweak SQL Profiler to NOT show statements: once aboard, one can see all statements running in the DB.
You need to obfuscate this sensible data before submitting it to the DB. There are some obfuscated methods available (one-way hash, symmetric algoritms, home-made methods), you need to choose the more suitable method to your needs and implement it. Unfortunatelly, there is no free-lunch to your case...
I have seen a product called DBDefence.
It hides SQL statements from the profiler completely. I do not know how do they do it.
I use free version because I have small database.
In earlier versions of SQL Server it was possible to add a comment --sp_password
but not in SQL Server 2008 and above.
I don't see the point, really. If one is able to view a query with SQL profiler, surely he could access the database to view the actual data.
The key is to not store sensitive data (like passwords) in clear text.
Preventing people to use SQL profiler will come down to applying the proper security configuration on your SQL Server.
Is there a way using sql 2008 Management Studio to look at the queries that hit the server? I'm trying to debug a program and I get messages like "Incorrect syntax near the keyword 'AND'". Since the queries are being dynamically generated it's a hassle to figure out what is going to the server.
Any help is appreciated!
There is a tool called Profiler that will tell you all information that you'll need. MSDN: http://msdn.microsoft.com/en-us/library/ms187929.aspx
I'm not aware of any method to do this using SQL Server Management Studio, but if you installed SSMS then you probably also installed the SQL Profiler. If you fire that up and run the TSQL_SPs profiler template, you can see every statement that's hitting the database.
Since the queries are being dynamically generated it's a hassle to figure out what is going to the server.
Why not just put the query that's generated into a message box, or print it to the console, or webpage, etc. ??
Trying to catch it at the DB server seems to be the long-way-around to debugging some simple ad-hoc queries.
Go to Management...Activity Monitor in the object explorer.
It's not live though, you will have to refresh it manually.
start up profiler from SSMS (Tools-->SQL Server Profiler), run a trace and select the T-SQL events
One option is to use SQL Server Profiler to run a trace. However, in some shops SQL Server permissions are set so only DBAs can run traces.
If you don't have sufficient rights to run a trace, then another option is to view the network traffic between the application that generates the SQL and box SQL Server is running on. WireShark works great for that.
I want to be able to see all the queries that has been executed on the server last 2 days etc.
see the script, date of execution, sender etc.
is there any way?
I am using SQL X 2005.
I don't believe it's possible without SQL Server Profiler running.
Yes you can use SQL-Trace to log each command submitted to the server. It's the same mechanism used by the profiler, but you do not have to have the profiler or any other tool to use it.
There are two modes in which SQL Trace can run - in-memory buffer and disk file. The former is only used by profiler, is not documented and should not be used. Use the disk-file mode. The file can later on be opened on the same or different machine and even loaded into a table for analysis.
To learn more go to this page: http://msdn.microsoft.com/en-us/library/ms191511.aspx and search for section titled "To perform monitoring tasks with SQL Trace by using Transact-SQL stored procedures"
Here is a free, open-source Profiler tool that might help.
Profiler for Microsoft SQL Server 2005/2008 Express Edition
Is there a way to tell SQL Server 2008 Express to log every query (including each and every SELECT Query!) into a file?
It's a Development machine, so the negative side effects of logging Select-Queries are not an issue.
Before someone suggests using the SQL Profiler: This is not available in Express (does anyone know if it's available in the Web Edition?) and i'm looking for a way to log queries even when I am away.
SQL Server Profiler:
File → New Trace
The "General" Tab is displayed.
Here you can choose "Save to file:" so its logged to a file.
View the "Event Selection" Tab
Select the items you want to log.
TSQL → SQL:BatchStarting will get you sql selects
Stored Procedures → RPC:Completed will get you Stored Procedures.
More information from Microsoft: SQL Server 2008 Books Online - Using SQL Server Profiler
Update - SQL Express Edition:
A comment was made that MS SQL Server Profiler is not available for the express edition.
There does appear to be a free alternative: Profiler for Microsoft SQL Server 2005 Express Edition
There is one more way to get information about queries that has been executed on MS SQL Server Express described here.
Briefly, it runs smart query to system tables and gets info(text, time executed) about queries(or cached query plans if needed). Thus you can get info about executed queries without profiler in MSSQL 2008 Express edition.
SELECT deqs.last_execution_time AS [Time], dest.TEXT AS [Query]
FROM sys.dm_exec_query_stats AS deqs
CROSS APPLY sys.dm_exec_sql_text(deqs.sql_handle) AS dest
ORDER BY deqs.last_execution_time DESC
…Late answer but I hope it would be useful to other readers here…
Using SQL Server Express with advanced auditing requirements such as this is not really optimal unless it’s only in development environment.
You can use traces (www.broes.nl/2011/10/profiling-on-sql-server-express/) to get the data you need but you’d have to parse these yourself.
There are third party tools that can do this but their cost will be quite high. Log explorer from ApexSQL can log everything but select and Idera’s compliance manager will log select statements as well but it’s cost is a lot higher.
You can log changes. SQL Server 2008 will make this especially easy with Change Data Capture. But SQL Server isn't very good at logging SELECTs.
It is theoretically possible with the profiler, but it will kill your performance. You might "get away with it" on your desktop, but I think you'll notice your machine acting slow enough to cause problems. And it definitely won't work after any kind of deployment.
One important point a couple others have missed already: unless they changed something for 2008 I didn't hear about, you can't trigger a SELECT.
Just for the record, I'm including the hints to use DataWizard's SQL Performance Profiler as a separate answer since it's really the opposite to the answer pointing at SQL Server Profiler.
There is a free trial for 14 days, but even if you need to buy it, it's only $20 for 3 servers (at the moment of writing, 2012-06-28). This seems more than fair to me considering the thousands everybody using SQL Server Express edition has saved.
I've only used the trial so far and it offers exactly what the OP was looking for: a way to trace all queries coming in to a specific database. It also offers to export a trace to an XML file. The paid version offers some more features but I haven't tried them yet.
Disclaimer: I'm just another developer messing with DBs from time to time and I'm in no way affiliated with DataWizard. I just so happened to like their tool and wanted to let people know it existed as it's helped me out with profiling my SQL Server Express installation.
I would either use triggers or use a third party software such as Red Gate to check out your SQL log files.
Seems that you can create traces using T-SQL
http://support.microsoft.com/kb/283790/
That might help.
The SQL query below can show simple query logs:
SELECT last_execution_time, text
FROM sys.dm_exec_query_stats stats
CROSS APPLY sys.dm_exec_sql_text(stats.sql_handle)
ORDER BY last_execution_time
This is how it looks like below:
In a project of mine the SQL statements that are executed against a SQL Server are failing for some unknown reason. Some of the code is already used in production so debugging it is not an easy task. Therefore I need a way to see in the database itself what SQL statements are used, as the statements are generated at runtime by the project and could be flawed when certain conditions are met.
I therefore considered the possibility to monitor the incoming statements and check myself if I see any flaws.
The database is running on a SQL Server 2005, and I use SQL server management studio express as primary tool to manipulate the database. So my question is, what is the best way to do this?
Seeing how you use the Management Studio Express, I will assume you don't have access to the MSSQL 2005 client tools. If you do, install those, because it includes the SQL profiler which does exactly what you want (and more!). For more info about that one, see msdn.
I found this a while ago, because I was thinking about the exact same thing. I have access to the client tools myself, so I don't really need to yet, but that access is not unlimited (it's through my current job). If you try it out, let me know if it works ;-)
Best way is to fire up profiler, start a trace, save the trace and then rerun the statements