• 企业400电话
  • 微网小程序
  • AI电话机器人
  • 电商代运营
  • 全 部 栏 目

    企业400电话 网络优化推广 AI电话机器人 呼叫中心 网站建设 商标✡知产 微网小程序 电商运营 彩铃•短信 增值拓展业务
    SQL Server储过程加密和解密原理深入分析
    开始
    --------------------------------------------------------------------------------
    在网络上,看到有SQL Server 2000和SQL Server 2005 的存储过程加密和解密的方法,后来分析了其中的代码,发现它们的原理都是一样的。后来自己根据实际的应用环境,编写了两个存储过程,一个加密存储过程(sp_EncryptObject),和一个解密存储过程(sp_EncryptObject),它们可以应用于SQL Server中的储过程,函数,视图,以及触发器。
    感觉这两个存储过程蛮有意思的,拿来与大家分享;如果你看过类似的,就当作重温一下也好。
    用于加密的存储过程 (sp_EncryptObject) :
    --------------------------------------------------------------------------------
    存储过程(sp_EncryptObject)加密的方法是在存储过程,函数,视图的“As”位置前加上“with encryption”;如果是触发器,就在“for”位置前加“with encryption”。
    如果触发器是{ AFTER | INSTEAD OF} 需要修改下面代码"For"位置:
    复制代码 代码如下:

    if objectproperty(object_id(@Object),'ExecIsAfterTrigger')=0 set @Replace='As' ; else set @Replace='For ';

    存储过程完成代码:
    复制代码 代码如下:

    Use master
    Go
    if object_ID('[sp_EncryptObject]') is not null
    Drop Procedure [sp_EncryptObject]
    Go
    create procedure sp_EncryptObject
    (
    @Object sysname='All'
    )
    as
    /*
    当@Object=All的时候,对所有的函数,存储过程,视图和触发器进行加密
    调用方法:
    . Execute sp_EncryptObject 'All'
    . Execute sp_EncryptObject 'ObjectName'
    */
    begin
    set nocount on
    if @Object >'All'
    begin
    if not exists(select 1 from sys.objects a where a.object_id=object_id(@Object) And a.type in('P','V','TR','FN','IF','TF'))
    begin
    --SQL Server 2008
    raiserror 50001 N'无效的加密对象!加密对象必须是函数,存储过程,视图或触发器。'
    --SQL Server 2012
    --throw 50001, N'无效的加密对象!加密对象必须是函数,存储过程,视图或触发器。',1
    return
    end
    if exists(select 1 from sys.sql_modules a where a.object_id=object_id(@Object) and a.definition is null)
    begin
    --SQL Server 2008
    raiserror 50001 N'对象已经加密!'
    --SQL Server 2012
    --throw 50001, N'对象已经加密!',1
    return
    end
    end
    declare @sql nvarchar(max),@C1 nchar(1),@C2 nchar(1),@type nvarchar(50),@Replace nvarchar(50)
    set @C1=nchar(13)
    set @C2=nchar(10)
    declare cur_Object
    cursor for
    select object_name(a.object_id) As ObjectName,a.definition
    from sys.sql_modules a
    inner join sys.objects b on b.object_id=a.object_id
    and b.is_ms_shipped=0
    and not exists(select 1
    from sys.extended_properties x
    where x.major_id=b.object_id
    and x.minor_id=0
    and x.class=1
    and x.name='microsoft_database_tools_support'
    )
    where b.type in('P','V','TR','FN','IF','TF')
    and (b.name=@Object or @Object='All')
    and b.name >'sp_EncryptObject'
    and a.definition is not null
    order by Case
    when b.type ='V' then 1
    when b.type ='TR' then 2
    when b.type in('FN','IF','TF') then 3
    else 4 end,b.create_date,b.object_id
    open cur_Object
    fetch next from cur_Object into @Object,@sql
    while @@fetch_status=0
    begin
    Begin Try
    if objectproperty(object_id(@Object),'ExecIsAfterTrigger')=0 set @Replace='As' ; else set @Replace='For ';
    if (patindex('%'+@C1+@C2+@Replace+@C1+@C2+'%',@sql)>0)
    begin
    set @sql=Replace(@sql,@C1+@C2+@Replace+@C1+@C2,@C1+@C2+'With Encryption'+@C1+@C2+@Replace+@C1+@C2)
    end
    else if(patindex('%'+@C1+@Replace+@C1+'%',@sql)>0)
    begin
    set @sql=Replace(@sql,@C1+@Replace+@C1,@C1+'With Encryption'+@C1+@Replace+@C1)
    end
    else if(patindex('%'+@C2+@Replace+@C2+'%',@sql)>0)
    begin
    set @sql=Replace(@sql,@C2+@Replace+@C2,@C2+'With Encryption'+@C2+@Replace+@C2)
    end
    else if(patindex('%'+@C2+@Replace+@C1+'%',@sql)>0)
    begin
    set @sql=Replace(@sql,@C2+@Replace+@C1,@C1+'With Encryption'+@C2+@Replace+@C1)
    end
    else if(patindex('%'+@C1+@C2+@Replace+'%',@sql)>0)
    begin
    set @sql=Replace(@sql,@C1+@C2+@Replace,@C1+@C2+'With Encryption'+@C1+@C2+@Replace)
    end
    else if(patindex('%'+@C1+@Replace+'%',@sql)>0)
    begin
    set @sql=Replace(@sql,@C1+@Replace,@C1+'With Encryption'+@C1+@Replace)
    end
    else if(patindex('%'+@C2+@Replace+'%',@sql)>0)
    begin
    set @sql=Replace(@sql,@C2+@Replace,@C2+'With Encryption'+@C2+@Replace)
    end
    set @type =
    case
    when object_id(@Object,'P')>0 then 'Proc'
    when object_id(@Object,'V')>0 then 'View'
    when object_id(@Object,'TR')>0 then 'Trigger'
    when object_id(@Object,'FN')>0 or object_id(@Object,'IF')>0 or object_id(@Object,'TF')>0 then 'Function'
    end
    set @sql=Replace(@sql,'Create '+@type,'Alter '+@type)
    Begin Transaction
    exec(@sql)
    print N'已完成加密对象('+@type+'):'+@Object
    Commit Transaction
    End Try
    Begin Catch
    Declare @Error nvarchar(2047)
    Set @Error='Object: '+@Object+@C1+@C2+'Error: '+Error_message()
    Rollback Transaction
    print @Error
    print @sql
    End Catch
    fetch next from cur_Object into @Object,@sql
    end
    close cur_Object
    deallocate cur_Object
    end
    Go
    exec sp_ms_marksystemobject 'sp_EncryptObject' --标识为系统对象
    go

    如果SQL Server 2012,请修改下面两个位置的代码。在SQL Server 2012,建议在使用throw来代替raiserror。
     
    解密方法
    解密过程,最重要采用异或方法:
    [字符1]经过函数 fn_x(x)加密变成[加密后字符1],如果我们已知[加密后字符1],反过来查[字符1],可以这样:
    [字符1] = [字符2] ^ fn_x([字符2]) ^ [加密后字符1]
    这里我列举一个简单的例子:
    复制代码 代码如下:

    --创建加密函数(fn_x)
    if object_id('fn_x') is not null drop function fn_x
    go
    create function fn_x
    (
    @x nchar(1)
    )returns nchar(1)
    as
    begin
    return(nchar((65535-unicode(@x))))
    end
    go
    declare @nchar_1_encrypt nchar(1),@nchar_2 nchar(1)
    --对字符'A'进行加密,存入变量@nchar_1_encrypt
    set @nchar_1_encrypt=dbo.fn_x(N'A')
    --參考的字符@nchar_2
    set @nchar_2='x'
    --算出@nchar_1_encrypt 加密前的字符
    select nchar(unicode(@nchar_2)^unicode(dbo.fn_x(@nchar_2))^unicode(@nchar_1_encrypt)) as [@nchar_1]
    /*
    @nchar_1
    --------------------
    A
    */

    [注]: 从SQL Server 2000至 SQL Server 2012 采用异或方法都可以解密
    用于解密的存储过程(sp_DecryptObject):
    复制代码 代码如下:

    Use master
    Go
    if object_ID('[sp_DecryptObject]') is not null
    Drop Procedure [sp_DecryptObject]
    Go
    create procedure sp_DecryptObject
    (
    @Object sysname, --要解密的对象名:函数,存储过程,视图或触发器
    @MaxLength int=4000 --评估内容的长度
    )
    as
    set nocount on
    /* 1. 解密 */
    if not exists(select 1 from sys.objects a where a.object_id=object_id(@Object) And a.type in('P','V','TR','FN','IF','TF'))
    begin
    --SQL Server 2008
    raiserror 50001 N'无效的对象!要解密的对象必须是函数,存储过程,视图或触发器。'
    --SQL Server 2012
    --throw 50001, N'无效的对象!要解密的对象必须是函数,存储过程,视图或触发器。',1
    return
    end
    if exists(select 1 from sys.sql_modules a where a.object_id=object_id(@Object) and a.definition is not null)
    begin
    --SQL Server 2008
    raiserror 50001 N'对象没有加密!'
    --SQL Server 2012
    --throw 50001, N'无效的对象!要解密的对象必须是函数,存储过程,视图或触发器。',1
    return
    end
    declare @sql nvarchar(max) --解密出来的SQL语句
    ,@imageval nvarchar(max) --加密字符串
    ,@tmpStr nvarchar(max) --临时SQL语句
    ,@tmpStr_imageval nvarchar(max) --临时SQL语句(加密后)
    ,@type char(2) --对象类型('P','V','TR','FN','IF','TF')
    ,@objectID int --对象ID
    ,@i int --While循环使用
    ,@Oject1 nvarchar(1000)
    set @objectID=object_id(@Object)
    set @type=(select a.type from sys.objects a where a.object_id=@objectID)
    declare @Space4000 nchar(4000)
    set @Space4000=replicate('-',4000)
    /*
    @tmpStr 会构造下面的SQL语句
    -------------------------------------------------------------------------------
    alter trigger Tr_Name on Table_Name with encryption for update as return /**/
    alter proc Proc_Name with encryption as select 1 as col /**/
    alter view View_Name with encryption as select 1 as col /**/
    alter function Fn_Name() returns int with encryption as begin return(0) end/**/
    */
    set @Oject1=quotename(object_schema_name(@objectID))+'.'+quotename(@Object)
    set @tmpStr=
    case
    when @type ='P ' then N'Alter Procedure '+@Oject1+' with encryption as select 1 as column1 '
    when @type ='V ' then N'Alter View '+@Oject1+' with encryption as select 1 as column1 '
    when @type ='FN' then N'Alter Function '+@Oject1+'() returns int with encryption as begin return(0) end '
    when @type ='IF' then N'Alter Function '+@Oject1+'() returns table with encryption as return(Select a.name from sys.types a) '
    when @type ='TF' then N'Alter Function '+@Oject1+'() returns @t table(name nvarchar(50)) with encryption as begin return end '
    else 'Alter Trigger '+@Oject1+'on '+quotename(object_schema_name(@objectID))+'.'+(select Top(1) quotename(object_name(parent_id)) from sys.triggers a where a.object_id=@objectID)+' with encryption for update as return '
    end
    set @tmpStr=@tmpStr+'/*'+@Space4000
    set @i=0
    while @i (ceiling(@MaxLength*1.0/4000)-1)
    begin
    set @tmpStr=@tmpStr+ @Space4000
    Set @i=@i+1
    end
    set @tmpStr=@tmpStr+'*/'
    ------------
    set @imageval =(select top(1) a.imageval from sys.sysobjvalues a where a.objid=@objectID and a.valclass=1)
    begin tran
    exec(@tmpStr)
    set @tmpStr_imageval =(select top(1) a.imageval from sys.sysobjvalues a where a.objid=@objectID and a.valclass=1)
    rollback tran
    -------------
    set @tmpStr=stuff(@tmpStr,1,5,'create')
    set @sql=''
    set @i=1
    while @i= (datalength(@imageval)/2)
    begin
    set @sql=@sql+isnull(nchar(unicode(substring(@tmpStr,@i,1)) ^ unicode(substring(@tmpStr_imageval,@i,1))^unicode(substring(@imageval,@i,1)) ),'')
    Set @i+=1
    end
    /* 2. 列印 */
    declare @patindex int
    while @sql>''
    begin
    set @patindex=patindex('%'+char(13)+char(10)+'%',@sql)
    if @patindex >0
    begin
    print substring(@sql,1,@patindex-1)
    set @sql=stuff(@sql,1,@patindex+1,'')
    end
    else
    begin
    set @patindex=patindex('%'+char(13)+'%',@sql)
    if @patindex >0
    begin
    print substring(@sql,1,@patindex-1)
    set @sql=stuff(@sql,1,@patindex,'')
    end
    else
    begin
    set @patindex=patindex('%'+char(10)+'%',@sql)
    if @patindex >0
    begin
    print substring(@sql,1,@patindex-1)
    set @sql=stuff(@sql,1,@patindex,'')
    end
    else
    begin
    print @sql
    set @sql=''
    end
    end
    end
    end
    Go
    exec sp_ms_marksystemobject 'sp_DecryptObject' --标识为系统对象
    go

    如果SQL Server 2012,请修改下面两个位置的代码。方法类似于前面的加密过程:

    搭建测试环境
    --------------------------------------------------------------------------------
    在一个测试环境中(DB: Test),先执行上面的加密存储过程(sp_EncryptObject)和解密存储过程(sp_EncryptObject);再创建两个表:TableA TableB
    复制代码 代码如下:

    use test
    go
    --创建表: TableA TableB
    if object_id('myTableA') is not null drop table myTableA
    if object_id('myTableB') is not null drop table myTableB
    go
    create table myTableA (ID int identity,data nvarchar(50),constraint PK_myTableA primary key(ID))
    create table myTableB (ID int ,data nvarchar(50),constraint PK_myTableB primary key(ID))
    go

    接下来,我们要创建6个未加密的对象(对象类型包含 'P','V','TR','FN','IF','TF'):
    1.视图(myView):
    复制代码 代码如下:

    if object_id('myView') is not null drop view myView
    go
    create view myView
    As
    select * from TableA;
    go

    2.触发器(MyTrigger):
    复制代码 代码如下:

    if object_id('MyTrigger') is not null drop Trigger MyTrigger
    go
    create trigger MyTrigger
    on TableA
    for update
    As
    insert into TableB(ID,data) select a.ID,a.Data From Inserted a
    go

    3.存储过程(MyProc):
    复制代码 代码如下:

    if object_id('MyProc') is not null drop proc MyProc
    go
    create proc MyProc
    (
    @data nvarchar(50)
    )
    As
    insert into TableA(data) values(@data)
    go

    4.用户定义表值函数(TF)(MyFunction_TF):
    复制代码 代码如下:

    if object_id('MyFunction_TF') is not null drop function MyFunction_TF
    go
    create function MyFunction_TF
    (
    )
    returns @t table
    (
    id int,
    data nvarchar(50)
    )
    As
    begin
    insert @t(id,data) select id,data from TableA
    return
    end
    go

    5.内联表值函数(IF) (MyFunction_IF):
    复制代码 代码如下:

    if object_id('MyFunction_IF') is not null drop function MyFunction_IF
    go
    create function MyFunction_IF
    (
    )
    returns table
    As
    return(select top(3) id, data from TableA order by id desc)
    go

    6.标量函数(FN)(MyFunction_FN):
    复制代码 代码如下:

    if object_id('MyFunction_FN') is not null drop function MyFunction_FN
    go
    create function MyFunction_FN
    (
    )
    returns nvarchar(50)
    As
    begin
    return(select top(1) data from TableA order by id desc)
    end
    go

    当执行完了上面的1-6步骤的脚本,我们通过查询系统视图sys.sql_modules,可以看到未加密前的定义信息:
    复制代码 代码如下:

    select b.name as object,b.type,a.definition
    from sys.sql_modules a
    inner join sys.objects b on b.object_id=a.object_id
    where b.create_date>=convert(date,getdate())
    order by b.object_id

     
    加密测试
    --------------------------------------------------------------------------------
    下面我就通过调用加密存储过程(sp_EncryptObject),一次性对它们进行加密:
    复制代码 代码如下:

    use test
    go
    exec sp_EncryptObject 'all'
    go

     

    当我们再查回系统视图sys.sql_modules,会发现definition列返回的是null值,说明定义内容已经给加密:


    解密测试
    --------------------------------------------------------------------------------
    解密过程,必须在DAC连接SQL Server,我们这里例子是从 SSMS(SQL Server Management Studio) 查询编辑器启动 DAC,如图:
     
    解密存储过程(sp_DecryptObject),只能一次对一个存储过程、函数、视图或触发器,进行解密:
    复制代码 代码如下:

    use test
    go
    exec sp_DecryptObject MyTrigger
    go

     
    当定义内容长度超过4000,我们可以指定@MaxLength的值,如:
    复制代码 代码如下:

    exec sp_DecryptObject fn_My,20000
    go

    这里(fn_My)是一个函数,定义内容超过了8000: 

    ... ...

     
    小结
    --------------------------------------------------------------------------------
    虽然,上面的脚本,我已经在SQL Server 2008 R2 和SQL Server 2012测试过,但无法避免一些未知错误 。如果你自己在测试上面的脚本,请不要在生产环境上。如果你在应用过程,碰到有什么问题或有什么意见和建议可以发email联系我或跟帖,在此非常感谢!
    您可能感兴趣的文章:
    • SQLSERVER对加密的存储过程、视图、触发器进行解密(推荐)
    • SQLSERVER加密解密函数(非对称密钥 证书加密 对称密钥)使用方法代码
    • 存储过程解密(破解函数,过程,触发器,视图.仅限于SQLSERVER2000)
    • 解密新型SQL Server无文件持久化恶意程序的问题
    上一篇:SQL2008 附加数据库提示5120错误解决方法
    下一篇:Excel导入数据库时出现的文本截断问题解决方案
  • 相关文章
  • 

    © 2016-2020 巨人网络通讯 版权所有

    《增值电信业务经营许可证》 苏ICP备15040257号-8

    SQL Server储过程加密和解密原理深入分析 SQL,Server,储,过程,加密,和,