Home Forums SQL Server 2008 SQL Server Newbies bcp a pipe delimited file RE: bcp a pipe delimited file

  • September 27, 2012 at 9:26 pm

    #1543167

    opc.three (9/27/2012)

    Jeff Moden (9/27/2012)

    opc.three (9/27/2012)

    Jeff Moden (9/27/2012)

    opc.three (9/26/2012)

    Jeff Moden (9/26/2012)

    opc.three (9/25/2012)

    sanjuv999 (9/25/2012)

    please guide me

    Do not enable xp_cmdshell! You do not need it for this scenario and it introduces risk in your environment.

    If you want to do everyting with T-SQL use for this task BULK INSERT.

    It doesn't introduce any risks that aren't already there. Only an attacker who can get in as "SA" would be able to use it and if (s)he did so, they could also turn it on. It wouldn't even slow them down because they're expecting it to be off.

    Enabling xp_cmdshell does introduce risk into an environment despite how slight or irrelevant you think those risks may be.

    If you have control over who has "SA" privs, it simply does not. If you don't have that kind of control over your database (and you absolutely should), disabling it is nothing more than a warm fuzzy that won't actually work because anyone with "SA" privs can simply turn it on.

    Risk mitigation is all about the "what if" Jeff. I won't argue this point with you anymore. The fact is that enabling it introduces risk.

    You HAVE to continue to talk about it because you keep talking about it in a negative fashion! 😉

    And I will continue to steer people towards more-secure and more-auditable (and more robust I might add) solutions as long as I have breath 🙂

    All you have to do now, my old friend, is find something more secure to steer them to. 😀 For starters, how about how to control who gets SA privs and how to determine who already has them. How about how to run any stored procedure with only PUBLIC privs and EXECUTE privs on the stored proc instead of wasting time on something that doesn't actually increase security at all?

    Heh... when you and I finally meet up to drink a beer or two together, let's promise each other now that neither of us will bring this particular subject up. It appears to be the only subject that we have a true disagreement on. :w00t:

    --Jeff Moden

    RBAR is pronounced "ree-bar" and is a "Modenism" for Row-By-Agonizing-Row.
    First step towards the paradigm shift of writing Set Based code:
    ________Stop thinking about what you want to do to a ROW... think, instead, of what you want to do to a COLUMN.

    Change is inevitable... Change for the better is not.

    Helpful Links:
    How to post code problems
    How to Post Performance Problems
    Create a Tally Function (fnTally)