I have read that Microsoft SQL Server don't log queries which include sp_password for security reasons. Does SQL Aynwhere have a similar restriction? Do any keywords exists which prevent an SQL command from appearing in the logs?

asked 08 Apr '11, 03:06

Martin's gravatar image

Martin
8.6k114149237
accept rate: 14%


Request level logging logs all queries and SQL statements. It does not make any attempt to determine which queries or SQL statements may contain passwords or other sensitive information.

permanent link

answered 08 Apr '11, 09:09

Ian%20McHardy's gravatar image

Ian McHardy
2.7k22946
accept rate: 38%

edited 08 Apr '11, 09:09

You are refering to the transaction log?

AFAIK, password-relevant commands are logged in encrypted/obfuscated form. E.g. I just changed the dba PWD in the v12 demo db back to "sql" by using GRANT CONNECT, and the log contains this:

BEGIN TRANSACTION go
--SQL-1030-0000958831 grant connect to dba identified by encrypted 0x01F77775C799C5969EDB51C2214932660181608B53192C9FC05F52D34C9125915C147F8977
go
--COMMIT-1030-0000958964
COMMIT WORK


Personally, I don't think the statement on MS SQL's behaviour is correct, as the non-logging would mean that this change would not be recoverable, and that sould be a no-go. Therefore I guess any RDMS must log these commands but should encrypt/hide them somehow. That's what SQL Anyhwere seems to do, too.

The same reason would make a keyword that prevents the logging of statements very risky.

permanent link

answered 08 Apr '11, 03:54

Volker%20Barth's gravatar image

Volker Barth
29.6k294444650
accept rate: 32%

edited 08 Apr '11, 03:55

I meant more the request level logging.

I read that using sp_password is part of intrusion techniques for MS SQL because it hides the attempts to break into the system from any request logging. This might be outdated information anyway it lead me to the question if anything similar exists for SQL Anywhere.

(08 Apr '11, 06:52) Martin
Replies hidden

Well, I can't tell what the request level logging does with these commands but it should be not too hard to inspect that for yourself:)

Furthermore, I really can't tell on the MS SQL side - AFAIK MS SQL has no builtin tool to translate the transaction log (like SA's DBTRAN), and I don't think the SQL Profiler will show such commands in plain text.

(08 Apr '11, 07:28) Volker Barth
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×37

question asked: 08 Apr '11, 03:06

question was seen: 1,035 times

last updated: 08 Apr '11, 09:09