SQL Profiler 2008 - Shows Passwords
https://stackoverflow.com/questions/1164011
-
18-09-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I have just noticed that Sql Profiler 2008 is not hiding trace outputs that include sp params called password. In 2005 it used to give me a message saying "The text has been replaced with this comment for security reasons".
Has they removed this security feature?
Solution
There is a difference between trapping the string "password" and genuine security holes.
Try this:
CREATE LOGIN foo WITH PASSWORD = 'bar'
In SQL 2005 profiler:
--*CREATE LOGIN-----------------------
Security is maintained.
Now, if you're sending dynamic SQL to a password columns...
OTHER TIPS
But if you pass your passwords as parameters, it should display it. The solution should be storing passwords encrypted at database. By this solution you'll need to pass your passwords encrypted.
Yes, it did use to automatically filter out "password" in Profiler, I believe this was a feature added in maybe in SQL Server 2000 SP4 but I've seen a number of people wanting to switch this off as it was filtering out instances that they actually wanted to see. So whether MS have removed it/made that functionality switchable I'm not sure - can't seem to find anything on it for 2008 atm.
Edit: I can't find any information on this regarding 2008. Everything I can find relates to people wanting to do the opposite - in sql 2000/2005, switch that "feature" off, for which the solution has been to replace use of "password" parameter with an alternative name like "pwd".
