RE: The Command Shell – SQLServerCentral

SSC Guru

Points: 1003863

April 4, 2013 at 7:59 am

Jim P. (4/3/2013)
The argument over whether xp_cmdshell is a threat means that someone, with decent knowledge, is already so far in it doesn't matter. Now I catch a programmer doing that crap, I'm going to bust his butt. But the usual end-user using an application is not going to be the danger. So trying to guard against the normal edge is good. But going to paranoiac extremes generally makes no sense.

Well said. That's my whole point about xp_CmdShell. If someone gets in deep enough (meaning with "SA" privs, in this case), you're dead even if it's turned off and depriving DBAs of its SA-only usage just doesn't make sense to me.

For the record, I'm also one of those folks that will allow it in carefully constructed application-facing stored procedures where the user doesn't actually have privs to run xp_CmdShell directly but that's a whole different argument.

--Jeff Moden

RBAR is pronounced "ree-bar" and is a "Modenism" for Row-By-Agonizing-Row.
First step towards the paradigm shift of writing Set Based code:
________Stop thinking about what you want to do to a ROW... think, instead, of what you want to do to a COLUMN.

Change is inevitable... Change for the better is not.

Helpful Links:
How to post code problems
How to Post Performance Problems
Create a Tally Function (fnTally)