yocki (2/24/2014)
Hi Lowell,Hi Jef Moden,
Thanks for the reply...
What I am trying is to create a text file containing a message why the insert process failed. Here is a bit of the pseudocode:
IF condition1 = 0
BEGIN
xp_cmdshell write to a file "this value is 0"
END
IF condition <>0
BEGIN
INSERT INTO tabel
END
This stored procedure is actually executed by an internal .NET application. Actually I want to avoid granting execute to xp_cmdshell, BUT i have no idea how this application can capture the feedback from the SP that has been executed so I use cmdshell to pool the feedback. This is actually what i want to do:
IF condition1 = 0
BEGIN
set @erorlog = @erorlog + "this value is 0"
END
I want the application to be able to read this "@erorlog" variable. How can i achieve that ?
I do not want to create a new table just to pool the error messages.
Also, I kinda know the danger of this (http://stackoverflow.com/questions/3797036/sql-server-why-xp-cmdshell-is-disabled-by-default) but my users are really really just operator. They have the very most basic skill of SQL (even dont have at all). 😀
So, you think its still save to give this particular user access to xp_cmdshell ? 😎
Thanks alot
Like I said, I wouldn't grant xp_CmdShell privs to any user (login, etc). I would build a stored procedure that does only what is need with xp_CmdShell, include EXECUTE AS OWNER in the proc, and the grant the user privs to only run the stored proc.
NEVER grant anyone or any login privs to run xp_CmdShell (SA's will be the obvious exception). Always do it through stored procedures.
--Jeff Moden
Change is inevitable... Change for the better is not.