Obfuscating SQL stored procs

[Paul Aspinall]

Hi
I have developed a C# app which uses SQL Stored procs... which I plan to
deploy as a single / low user version on MSDE.

My SP's all have 'meaningful' names. However, as I want to protect my app as
much as possible, is it possible to 'obfuscate' the SQL SP names??
I know I could do this manually, but then I may lose the 'ease of
development' due to meaningless SP names...

I already plan to encrypt the SP's themselves, but want to obfuscate the
names also.

I would, ideally, like to run my code through an obfuscator, and have it
obfuscate code, and also obfuscate the SP's to a 'deploy' DB.

Does anyone know of a suitable package??

Thanks


Paul

 

[John Puopolo]

Paul:

One thing you could do is have the real SP names in a resource file that you
encrypt. The application then reads the SP name (accessing it by number,
perhaps) from the resource file, decrypts it and then generates the call to
the SP.

John

 

[Andrea Montanari]

hi Paul,

Hi
I have developed a C# app which uses SQL Stored procs... which I plan
to deploy as a single / low user version on MSDE.

My SP's all have 'meaningful' names. However, as I want to protect my
app as much as possible, is it possible to 'obfuscate' the SQL SP
names??
I know I could do this manually, but then I may lose the 'ease of
development' due to meaningless SP names...

I already plan to encrypt the SP's themselves, but want to obfuscate
the names also.

I would, ideally, like to run my code through an obfuscator, and have
it obfuscate code, and also obfuscate the SP's to a 'deploy' DB.

Does anyone know of a suitable package??

unfortunately nothing is available out of the box... so you have to rely on
storing encripted object names in the database schema and directly call
those encripted names from your application...
be warned that object names must follow a defined naming convention, as you
can see at
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/acdata/ac_8_con_03_6e9e.asp
--
Andrea Montanari (Microsoft MVP - SQL Server)
http://www.asql.biz/DbaMgr.shtm http://italy.mvps.org
DbaMgr2k ver 0.10.0 - DbaMgr ver 0.56.0
(my vb6+sql-dmo little try to provide MS MSDE 1.0 and MSDE 2000 a visual
interface)
--------- remove DMO to reply

 

[dbmonitor]

Can you use the encryption option with creating procedures for MSDE.

i.e. CREATE PROCEDURE .... WITH ENCRYPTION AS
.....

This will allow the procedures to be executed but the code remains
hidden.

 

[Greg Low [MVP]]

Hi David,

You can but the problem he's suggesting is obfuscating the names of the
procs, not their code.

Regards,

 

[Paul Aspinall]

Thanks for the reply, but I did say that I would be encrypting the SP's
anyway.... I'm looking to obfuscate the names....

 

[dbmonitor]

If the procedures are encrypted, you will need the code stored outside
of SQL Server.

You could have one large text file containing all stored procedure
creation SQL on it. Then, if you know anything about UltraEdit, you
could have one search/ replace using regular expressions that replaces
all stored procedures with an alternate name. Or, yet again, using
UltraEdit again, you could write a macro that replaces all occurences
of procedures with something else.

You can run the macro against the file prior to creating the
procedures.

I take it that you have thought about the fact that any interface that
uses the procedures will have to be changed to also use the new
procedure names.

David Rowland
For a good user and performance monitor, check DBMonitor
http://dbmonitor.tripod.com

 

[ermedin]

Paul,

You might want to look into temporary stored procedures (local or global).
We have used them in the past by embedding them from VB GUI.
MS have few articles re: pros and cons of using them.

Cheers,
Ermedin