SQL Server ->> 安全相关函数

安全相关的函数这些可能会有用: CERTENCODED \CERTPRIVATEKEY \LOGINPROPERTY \ORIGINAL_LOGIN \PWDCOMPARE \SESSION_USER \SESSIONPROPERTY \SUSER_ID \SUSER_NAME \SYSTEM_USER \USER_NAME \DATABASE_PRINCIPAL_ID \IS_MEMBER \IS_ROLEMEMBER \IS_SRVROLEMEMBER

 

用户身份:IS_MEMBER \IS_ROLEMEMBER \IS_SRVROLEMEMBER

IS_MEMBER:可以验证用户是否是某NT工作组或者AD安全组的成员

IS_ROLEMEMBER:可以验证用户是否是某数据库角色成员

IS_SRVROLEMEMBER:可以验证用户是否是某服务器角色成员

 

证书编码:CERTENCODED \CERTPRIVATEKEY

CERTENCODED:把证书转成二进制编码,例如SELECT CERTENCODED(CERT_ID('证书名称'))

CERTPRIVATEKEY:通常配合CERTENCODED,生成证书的私钥,输出成VARBINARY(MAX),然后可以在通过私钥二进制代码后(像创建程序集一样)在另外一个数据库创建相同的证书。然后再通过ENCRYPTBYCERTDECRYPTBYCERT进行数据加密和解密。

 

实际使用场景就是可以把一些敏感数据字段用密钥加密后,到了另外一个数据库用私钥解密,私钥解密指定解密密码达到安全性的要求。

 

DECLARE @CERTENC VARBINARY(MAX);  
DECLARE @CERTPVK VARBINARY(MAX);  
SELECT @CERTENC = CERTENCODED(CERT_ID('SOURCE_CERT'));  
SELECT @CERTPVK = CERTPRIVATEKEY(CERT_ID('SOURCE_CERT'),  
       'CertEncryptionPa$$word');  
SELECT @CERTENC AS BinaryCertificate;  
SELECT @CERTPVK AS EncryptedBinaryCertificate;  
GO  
-- Create the duplicate certificate in the TARGET_DB database  
USE TARGET_DB  
GO  
CREATE CERTIFICATE TARGET_CERT  
FROM BINARY = <insert the binary value of the @CERTENC variable>  
WITH PRIVATE KEY (  
BINARY = <insert the binary value of the @CERTPVK variable>  
, DECRYPTION BY PASSWORD = 'CertEncryptionPa$$word');  
-- Compare the certificates in the two databases  
-- The two certificates should be the same   
-- except for name and (possibly) the certificate_id  
SELECT * FROM SOURCE_DB.sys.certificates  
UNION  
SELECT * FROM TARGET_DB.sys.certificates;  
USE SOURCE_DB;  
  
DECLARE @CLEARTEXT nvarchar(100);  
DECLARE @CIPHERTEXT varbinary(8000);  
DECLARE @UNCIPHEREDTEXT_Source nvarchar(100);  
SET @CLEARTEXT = N'Hello World';  
SET @CIPHERTEXT = ENCRYPTBYCERT(CERT_ID('SOURCE_CERT'), @CLEARTEXT);  
SET @UNCIPHEREDTEXT_Source =   
    DECRYPTBYCERT(CERT_ID('SOURCE_CERT'), @CIPHERTEXT)  
-- Encryption and decryption result in SOURCE_DB  
SELECT @CLEARTEXT AS SourceClearText, @CIPHERTEXT AS SourceCipherText,   
       @UNCIPHEREDTEXT_Source AS SourceDecryptedText;  
  
-- SWITCH DATABASE  
USE TARGET_DB;  
  
DECLARE @UNCIPHEREDTEXT_Target nvarchar(100);  
SET @UNCIPHEREDTEXT_Target = DECRYPTBYCERT(CERT_ID('TARGET_CERT'), @CIPHERTEXT);  
-- Encryption and decryption result in TARGET_DB  
SELECT @CLEARTEXT AS ClearTextInTarget, @CIPHERTEXT AS CipherTextInTarget, @UNCIPHEREDTEXT_Target AS DecriptedTextInTarget;   
GO

 

获取登录用户身份:ORIGINAL_LOGIN \SESSION_USER \SUSER_ID \SUSER_NAME \SYSTEM_USER \USER_NAME \DATABASE_PRINCIPAL

ORIGINAL_LOGIN:因为可以通过EXECUTE AS  XXX切换用户身份执行上下文,ORIGINAL_LOGIN的作用就是获取原始登录用户名称的

SESSION_USER:获取会话用户,会话用户是数据库用户,不是登录用户

SUSER_ID\SUSER_NAME:这两个是一样的,一个是获取登录用户ID,一个是获取登录用户名称

SYSTEM_USER:也是获取登录用户,不过这个的作用是用在创建表字段的时候指定默认约束的

USER_NAME\DATABASE_PRINCIPAL_ID:这两个也是一样的,一个获取数据库用户名称,一个获取数据库用户ID

 

posted @ 2022-02-23 11:25  Jerry_Chen  阅读(114)  评论(0编辑  收藏  举报