Re: Rename Extended stored procedures

From: Gert E.R. Drapers (GertD@SQLDev.Net)
Date: 03/25/03

• Next message: Steve Thompson: "Re: Security Concerns?: SQL Server and IIS on Same Server"
• Previous message: Steve Thompson: "Re: MSDE SQLServer"
• In reply to: sharpeyez: "Rename Extended stored procedures"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "Gert E.R. Drapers" <GertD@SQLDev.Net>
Date: Tue, 25 Mar 2003 11:21:05 -0800

This is not really possible, because the name of the XP is the exported
entrypoint of the DLL that hosts the XP.

My advise would be to revoke rights and create stored procedures that wrap
the XP. This gives you a couple of advantages:
1) You have better parameter validation, because SP's are strongly types,
where XP's allow overloaded parameter type passing
2) You can name them differently, preferred not starting with sp_ so that
you have to use fully qualified names to execute them.
3) You can add logging to the SP's to track who is invoking the XP

Just some thoughts.

GertD@SQLDev.Net
Please reply only to the newsgroups.
This posting is provided "AS IS" with no warranties, and confers no rights.
You assume all risk for your use.
Copyright © SQLDev.Net 1991-2003 All rights reserved.

"sharpeyez" <simon@ris.org.uk> wrote in message
news:uzjdyUr8CHA.3236@TK2MSFTNGP11.phx.gbl...
> Hi all,
>
> I've read on some sql security sites that dropping stored procedures is
> recommended for security. This seems a bit extreme to me! After all it
> suggests that you deprive yourself and your team from some of the
> functionality of xp's. This seems to me to give in to the people who are
> creating the problem. Is it possible to rename all xp's to a convention of
> your choice? Does this solve the problem as no one will know what they are
> called? If it's possible what happens when you patch the server
>
> Any tips appreciated
>
> sharpeyez
>
>

---

• Next message: Steve Thompson: "Re: Security Concerns?: SQL Server and IIS on Same Server"
• Previous message: Steve Thompson: "Re: MSDE SQLServer"
• In reply to: sharpeyez: "Rename Extended stored procedures"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Writing updates from a wide DataTable ... restrict IO rights to specific columns or trip over a column that can't be ... Creating your own UPDATE statement on the fly is what ADO classic did--based ... This posting is provided "AS IS" with no warranties, and confers no rights. ... >following the recommendations to use stored procedures to apply updates to ... (microsoft.public.dotnet.framework.adonet) Re: Grant Execute on Proc ... users without CREATE TABLE rights can still create ... "Anand" wrote in message ... > User "A" have Execute Privilege on all stored ... > Inside one of the stored procedures a table gets created ... (microsoft.public.sqlserver.security) Re: When to use Stored Procedures! ... > I am still new to Sql Server & lovin' it. ... you can revoke all rights ... Stored procedures have other benefits as well, ... (microsoft.public.sqlserver.server) Re: Application concerns OVER Login ... Giacomo, ... > 2) gave that user rights to specific stored procedures on database ... > or will they only have rights to the stored ... (microsoft.public.sqlserver.security) Re: Granting GRANT permissions ... Creators of stored procedures (standard users with CREATE PROCEDURE rights) ... can grant permissions on their own procedures to other users. ... "Josh N." ... (microsoft.public.sqlserver.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(17)