cancel
Showing results for 
Search instead for 
Did you mean: 

Do any keywords exists which prevent an SQL command from appearing in the logs?

MCMartin
Participant
2,276

I have read that Microsoft SQL Server don't log queries which include sp_password for security reasons. Does SQL Aynwhere have a similar restriction? Do any keywords exists which prevent an SQL command from appearing in the logs?

Accepted Solutions (1)

Accepted Solutions (1)

ian_mchardy
Product and Topic Expert
Product and Topic Expert

Request level logging logs all queries and SQL statements. It does not make any attempt to determine which queries or SQL statements may contain passwords or other sensitive information.

Answers (1)

Answers (1)

VolkerBarth
Contributor

You are refering to the transaction log?

AFAIK, password-relevant commands are logged in encrypted/obfuscated form. E.g. I just changed the dba PWD in the v12 demo db back to "sql" by using GRANT CONNECT, and the log contains this:

BEGIN TRANSACTION go
--SQL-1030-0000958831 grant connect to dba identified by encrypted 0x01F77775C799C5969EDB51C2214932660181608B53192C9FC05F52D34C9125915C147F8977
go
--COMMIT-1030-0000958964
COMMIT WORK


Personally, I don't think the statement on MS SQL's behaviour is correct, as the non-logging would mean that this change would not be recoverable, and that sould be a no-go. Therefore I guess any RDMS must log these commands but should encrypt/hide them somehow. That's what SQL Anyhwere seems to do, too.

The same reason would make a keyword that prevents the logging of statements very risky.

MCMartin
Participant
0 Kudos

I meant more the request level logging.

I read that using sp_password is part of intrusion techniques for MS SQL because it hides the attempts to break into the system from any request logging. This might be outdated information anyway it lead me to the question if anything similar exists for SQL Anywhere.

VolkerBarth
Contributor
0 Kudos

Well, I can't tell what the request level logging does with these commands but it should be not too hard to inspect that for yourself:)

Furthermore, I really can't tell on the MS SQL side - AFAIK MS SQL has no builtin tool to translate the transaction log (like SA's DBTRAN), and I don't think the SQL Profiler will show such commands in plain text.