在网络上,看到有SQL Server 2000和SQL Server 2005 的存储过程加密和解密的方法,后来分析了其中的代码,发现它们的原理都是一样的。后来自己根据实际的应用环境,编写了两个存储过程,一个加密存储过程(sp_EncryptObject),和一个解密存储过程(sp_EncryptObject),它们可以应用于SQL Server中的储过程,函数,视图,以及触发器。
感觉这两个存储过程蛮有意思的,拿来与大家分享;如果你看过类似的,就当作重温一下也好。
用于加密的存储过程 (sp_EncryptObject) :
存储过程(sp_EncryptObject)加密的方法是在存储过程,函数,视图的“As”位置前加上“with encryption”;如果是触发器,就在“for”位置前加“with encryption”。
如果触发器是{ AFTER | INSTEAD OF} 需要修改下面代码"For"位置:
if objectproperty(object_id(@Object),'ExecIsAfterTrigger')=0 set @Replace='As' ; else set @Replace='For ';
存储过程完成代码:
1 Use master
2 Go
3 if object_ID('[sp_EncryptObject]') is not null
4 Drop Procedure [sp_EncryptObject]
5 Go
6 create procedure sp_EncryptObject
7 (
8 @Object sysname='All'
9 )
10 as
11 /*
12 当@Object=All的时候,对所有的函数,存储过程,视图和触发器进行加密
13 调用方法:
14 1. Execute sp_EncryptObject 'All'
15 2. Execute sp_EncryptObject 'ObjectName'
16 */
17 begin
18 set nocount on
19
20 if @Object <>'All'
21 begin
22 if not exists(select 1 from sys.objects a where a.object_id=object_id(@Object) And a.type in('P','V','TR','FN','IF','TF'))
23 begin
24 --SQL Server 2008
25 raiserror 50001 N'无效的加密对象!加密对象必须是函数,存储过程,视图或触发器。'
26
27 --SQL Server 2012
28 --throw 50001, N'无效的加密对象!加密对象必须是函数,存储过程,视图或触发器。',1
29
30 return
31 end
32
33 if exists(select 1 from sys.sql_modules a where a.object_id=object_id(@Object) and a.definition is null)
34 begin
35 --SQL Server 2008
36 raiserror 50001 N'对象已经加密!'
37
38 --SQL Server 2012
39 --throw 50001, N'对象已经加密!',1
40 return
41 end
42 end
43
44 declare @sql nvarchar(max),@C1 nchar(1),@C2 nchar(1),@type nvarchar(50),@Replace nvarchar(50)
45 set @C1=nchar(13)
46 set @C2=nchar(10)
47
48
49 declare cur_Object
50 cursor for
51 select object_name(a.object_id) As ObjectName,a.definition
52 from sys.sql_modules a
53 inner join sys.objects b on b.object_id=a.object_id
54 and b.is_ms_shipped=0
55 and not exists(select 1
56 from sys.extended_properties x
57 where x.major_id=b.object_id
58 and x.minor_id=0
59 and x.class=1
60 and x.name='microsoft_database_tools_support'
61 )
62 where b.type in('P','V','TR','FN','IF','TF')
63 and (b.name=@Object or @Object='All')
64 and b.name <>'sp_EncryptObject'
65 and a.definition is not null
66 order by Case
67 when b.type ='V' then 1
68 when b.type ='TR' then 2
69 when b.type in('FN','IF','TF') then 3
70 else 4 end,b.create_date,b.object_id
71
72 open cur_Object
73 fetch next from cur_Object into @Object,@sql
74 while @@fetch_status=0
75 begin
76
77 Begin Try
78
79 if objectproperty(object_id(@Object),'ExecIsAfterTrigger')=0 set @Replace='As' ; else set @Replace='For ';
80
81 if (patindex('%'+@C1+@C2+@Replace+@C1+@C2+'%',@sql)>0)
82 begin
83 set @sql=Replace(@sql,@C1+@C2+@Replace+@C1+@C2,@C1+@C2+'With Encryption'+@C1+@C2+@Replace+@C1+@C2)
84 end
85 else if(patindex('%'+@C1+@Replace+@C1+'%',@sql)>0)
86 begin
87 set @sql=Replace(@sql,@C1+@Replace+@C1,@C1+'With Encryption'+@C1+@Replace+@C1)
88 end
89 else if(patindex('%'+@C2+@Replace+@C2+'%',@sql)>0)
90 begin
91 set @sql=Replace(@sql,@C2+@Replace+@C2,@C2+'With Encryption'+@C2+@Replace+@C2)
92 end
93 else if(patindex('%'+@C2+@Replace+@C1+'%',@sql)>0)
94 begin
95 set @sql=Replace(@sql,@C2+@Replace+@C1,@C1+'With Encryption'+@C2+@Replace+@C1)
96 end
97 else if(patindex('%'+@C1+@C2+@Replace+'%',@sql)>0)
98 begin
99 set @sql=Replace(@sql,@C1+@C2+@Replace,@C1+@C2+'With Encryption'+@C1+@C2+@Replace)
100 end
101 else if(patindex('%'+@C1+@Replace+'%',@sql)>0)
102 begin
103 set @sql=Replace(@sql,@C1+@Replace,@C1+'With Encryption'+@C1+@Replace)
104 end
105 else if(patindex('%'+@C2+@Replace+'%',@sql)>0)
106 begin
107 set @sql=Replace(@sql,@C2+@Replace,@C2+'With Encryption'+@C2+@Replace)
108 end
109
110 set @type =
111 case
112 when object_id(@Object,'P')>0 then 'Proc'
113 when object_id(@Object,'V')>0 then 'View'
114 when object_id(@Object,'TR')>0 then 'Trigger'
115 when object_id(@Object,'FN')>0 or object_id(@Object,'IF')>0 or object_id(@Object,'TF')>0 then 'Function'
116 end
117 set @sql=Replace(@sql,'Create '+@type,'Alter '+@type)
118
119 Begin Transaction
120 exec(@sql)
121 print N'已完成加密对象('+@type+'):'+@Object
122 Commit Transaction
123
124 End Try
125 Begin Catch
126 Declare @Error nvarchar(2047)
127 Set @Error='Object: '+@Object+@C1+@C2+'Error: '+Error_message()
128
129
130 Rollback Transaction
131 print @Error
132 print @sql
133 End Catch
134
135 fetch next from cur_Object into @Object,@sql
136
137 end
138
139 close cur_Object
140 deallocate cur_Object
141 end
142
143 Go
144 exec sp_ms_marksystemobject 'sp_EncryptObject' --标识为系统对象
145 go
如果SQL Server 2012,请修改下面两个位置的代码。在SQL Server 2012,建议在使用throw来代替raiserror。
解密方法:
解密过程,最重要采用异或方法:
[字符1]经过函数 fn_x(x)加密变成[加密后字符1],如果我们已知[加密后字符1],反过来查[字符1],可以这样:
[字符1] = [字符2] ^ fn_x([字符2]) ^ [加密后字符1]
这里我列举一个简单的例子:
1 --创建加密函数(fn_x)
2 if object_id('fn_x') is not null drop function fn_x
3 go
4 create function fn_x
5 (
6 @x nchar(1)
7 )returns nchar(1)
8 as
9 begin
10 return(nchar((65535-unicode(@x))))
11 end
12 go
13 declare @nchar_1_encrypt nchar(1),@nchar_2 nchar(1)
14
15
16 --对字符'A'进行加密,存入变量@nchar_1_encrypt
17 set @nchar_1_encrypt=dbo.fn_x(N'A')
18
19
20 --參考的字符@nchar_2
21 set @nchar_2='x'
22
23 --算出@nchar_1_encrypt 加密前的字符
24 select nchar(unicode(@nchar_2)^unicode(dbo.fn_x(@nchar_2))^unicode(@nchar_1_encrypt)) as [@nchar_1]
25
26 /*
27 @nchar_1
28 --------------------
29 A
30 */
[注]: 从SQL Server 2000至 SQL Server 2012 采用异或方法都可以解密
用于解密的存储过程(sp_DecryptObject):
1 Use master
2 Go
3 if object_ID('[sp_DecryptObject]') is not null
4 Drop Procedure [sp_DecryptObject]
5 Go
6 create procedure sp_DecryptObject
7 (
8 @Object sysname, --要解密的对象名:函数,存储过程,视图或触发器
9 @MaxLength int=4000 --评估内容的长度
10 )
11 as
12 set nocount on
13 /* 1. 解密 */
14
15 if not exists(select 1 from sys.objects a where a.object_id=object_id(@Object) And a.type in('P','V','TR','FN','IF','TF'))
16 begin
17 --SQL Server 2008
18 raiserror 50001 N'无效的对象!要解密的对象必须是函数,存储过程,视图或触发器。'
19
20 --SQL Server 2012
21 --throw 50001, N'无效的对象!要解密的对象必须是函数,存储过程,视图或触发器。',1
22 return
23 end
24
25 if exists(select 1 from sys.sql_modules a where a.object_id=object_id(@Object) and a.definition is not null)
26 begin
27 --SQL Server 2008
28 raiserror 50001 N'对象没有加密!'
29
30 --SQL Server 2012
31 --throw 50001, N'无效的对象!要解密的对象必须是函数,存储过程,视图或触发器。',1
32 return
33 end
34
35 declare @sql nvarchar(max) --解密出来的SQL语句
36 ,@imageval nvarchar(max) --加密字符串
37 ,@tmpStr nvarchar(max) --临时SQL语句
38 ,@tmpStr_imageval nvarchar(max) --临时SQL语句(加密后)
39 ,@type char(2) --对象类型('P','V','TR','FN','IF','TF')
40 ,@objectID int --对象ID
41 ,@i int --While循环使用
42 ,@Oject1 nvarchar(1000)
43
44 set @objectID=object_id(@Object)
45 set @type=(select a.type from sys.objects a where a.object_id=@objectID)
46
47 declare @Space4000 nchar(4000)
48 set @Space4000=replicate('-',4000)
49
50 /*
51 @tmpStr 会构造下面的SQL语句
52 -------------------------------------------------------------------------------
53 alter trigger Tr_Name on Table_Name with encryption for update as return /**/
54 alter proc Proc_Name with encryption as select 1 as col /**/
55 alter view View_Name with encryption as select 1 as col /**/
56 alter function Fn_Name() returns int with encryption as begin return(0) end/**/
57 */
58 set @Oject1=quotename(object_schema_name(@objectID))+'.'+quotename(@Object)
59 set @tmpStr=
60 case
61 when @type ='P ' then N'Alter Procedure '+@Oject1+' with encryption as select 1 as column1 '
62 when @type ='V ' then N'Alter View '+@Oject1+' with encryption as select 1 as column1 '
63 when @type ='FN' then N'Alter Function '+@Oject1+'() returns int with encryption as begin return(0) end '
64 when @type ='IF' then N'Alter Function '+@Oject1+'() returns table with encryption as return(Select a.name from sys.types a) '
65 when @type ='TF' then N'Alter Function '+@Oject1+'() returns @t table(name nvarchar(50)) with encryption as begin return end '
66 else 'Alter Trigger '+@Oject1+'on '+quotename(object_schema_name(@objectID))+'.'+(select Top(1) quotename(object_name(parent_id)) from sys.triggers a where a.object_id=@objectID)+' with encryption for update as return '
67 end
68
69
70 set @tmpStr=@tmpStr+'/*'+@Space4000
71 set @i=0
72 while @i < (ceiling(@MaxLength*1.0/4000)-1)
73 begin
74 set @tmpStr=@tmpStr+ @Space4000
75 Set @i=@i+1
76 end
77 set @tmpStr=@tmpStr+'*/'
78
79 ------------
80 set @imageval =(select top(1) a.imageval from sys.sysobjvalues a where a.objid=@objectID and a.valclass=1)
81
82 begin tran
83 exec(@tmpStr)
84 set @tmpStr_imageval =(select top(1) a.imageval from sys.sysobjvalues a where a.objid=@objectID and a.valclass=1)
85
86 rollback tran
87
88 -------------
89 set @tmpStr=stuff(@tmpStr,1,5,'create')
90 set @sql=''
91 set @i=1
92 while @i<= (datalength(@imageval)/2)
93 begin
94 set @sql=@sql+isnull(nchar(unicode(substring(@tmpStr,@i,1)) ^ unicode(substring(@tmpStr_imageval,@i,1))^unicode(substring(@imageval,@i,1)) ),'')
95 Set @i+=1
96 end
97
98 /* 2. 列印 */
99
100
101 declare @patindex int
102 while @sql>''
103 begin
104
105 set @patindex=patindex('%'+char(13)+char(10)+'%',@sql)
106 if @patindex >0
107 begin
108 print substring(@sql,1,@patindex-1)
109 set @sql=stuff(@sql,1,@patindex+1,'')
110 end
111 else
112 begin
113 set @patindex=patindex('%'+char(13)+'%',@sql)
114 if @patindex >0
115 begin
116 print substring(@sql,1,@patindex-1)
117 set @sql=stuff(@sql,1,@patindex,'')
118 end
119 else
120 begin
121 set @patindex=patindex('%'+char(10)+'%',@sql)
122 if @patindex >0
123 begin
124 print substring(@sql,1,@patindex-1)
125 set @sql=stuff(@sql,1,@patindex,'')
126 end
127 else
128 begin
129 print @sql
130 set @sql=''
131 end
132 end
133 end
134
135 end
136
137 Go
138 exec sp_ms_marksystemobject 'sp_DecryptObject' --标识为系统对象
139 go
如果SQL Server 2012,请修改下面两个位置的代码。方法类似于前面的加密过程:
搭建测试环境:
在一个测试环境中(DB: Test),先执行上面的加密存储过程(sp_EncryptObject)和解密存储过程(sp_EncryptObject);再创建两个表:TableA & TableB
use test go --创建表: TableA & TableB if object_id('myTableA') is not null drop table myTableA if object_id('myTableB') is not null drop table myTableB go create table myTableA (ID int identity,data nvarchar(50),constraint PK_myTableA primary key(ID)) create table myTableB (ID int ,data nvarchar(50),constraint PK_myTableB primary key(ID)) go
接下来,我们要创建6个未加密的对象(对象类型包含 'P','V','TR','FN','IF','TF'):
1.视图(myView):
1 if object_id('myView') is not null drop view myView
2 go
3 create view myView
4 As
5 select * from TableA;
6 go
2.触发器(MyTrigger):
if object_id('MyTrigger') is not null drop Trigger MyTrigger
go
create trigger MyTrigger
on TableA
for update
As
insert into TableB(ID,data) select a.ID,a.Data From Inserted a
go
3.存储过程(MyProc):
if object_id('MyProc') is not null drop proc MyProc
go
create proc MyProc
(
@data nvarchar(50)
)
As
insert into TableA(data) values(@data)
go
4.用户定义表值函数(TF)(MyFunction_TF):
1 if object_id('MyFunction_TF') is not null drop function MyFunction_TF
2 go
3 create function MyFunction_TF
4 (
5 )
6 returns @t table
7 (
8 id int,
9 data nvarchar(50)
10 )
11 As
12 begin
13 insert @t(id,data) select id,data from TableA
14 return
15 end
16 go
5.内联表值函数(IF) (MyFunction_IF):
1 if object_id('MyFunction_IF') is not null drop function MyFunction_IF
2 go
3 create function MyFunction_IF
4 (
5 )
6 returns table
7 As
8 return(select top(3) id, data from TableA order by id desc)
9 go
6.标量函数(FN)(MyFunction_FN):
1 if object_id('MyFunction_FN') is not null drop function MyFunction_FN
2 go
3 create function MyFunction_FN
4 (
5 )
6 returns nvarchar(50)
7 As
8 begin
9 return(select top(1) data from TableA order by id desc)
10 end
11 go
当执行完了上面的1-6步骤的脚本,我们通过查询系统视图sys.sql_modules,可以看到未加密前的定义信息:
1 select b.name as object,b.type,a.definition
2 from sys.sql_modules a
3 inner join sys.objects b on b.object_id=a.object_id
4 where b.create_date>=convert(date,getdate())
5 order by b.object_id
加密测试:
下面我就通过调用加密存储过程(sp_EncryptObject),一次性对它们进行加密:
use test go exec sp_EncryptObject 'all' go
当我们再查回系统视图sys.sql_modules,会发现definition列返回的是null值,说明定义内容已经给加密:
解密测试:
解密过程,必须在DAC连接SQL Server,我们这里例子是从 SSMS(SQL Server Management Studio) 查询编辑器启动 DAC,如图:
解密存储过程(sp_DecryptObject),只能一次对一个存储过程、函数、视图或触发器,进行解密:
use test go exec sp_DecryptObject MyTrigger go
当定义内容长度超过4000,我们可以指定@MaxLength的值,如:
exec sp_DecryptObject fn_My,20000 go
这里(fn_My)是一个函数,定义内容超过了8000:
... ...
小结:
虽然,上面的脚本,我已经在SQL Server 2008 R2 和SQL Server 2012测试过,但无法避免一些未知错误 。