Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

give the web user access to run xp_cmdshell

Status
Not open for further replies.
mflancour

mflancour

MIS
Apr 23, 2002
379
US
I have a stored proc that uses xp_cmdshell. I have a web interface that we would like to use to call this proc. You can see the problem. Can really just give the web user access to run xp_cmdshell. Anyone know a workaround for this that wont compromise the database?
 
Sort by date Sort by votes
What (specifically) are you using xp_cmdshell for in your proc?

I think you are right, that this is not a good idea to allow your web user to run it!

Ignorance of certain subjects is a great part of wisdom
 
Upvote 0 Downvote
Can scripting handle this better than xp_cmdshell for web users?

Well Done is better than well said
- Ben Franklin
 
Upvote 0 Downvote
What version of SQL Server? If you have 2005, CLR might be an option for this, if you can't handle it from the front end app.

Hope this helps,

Alex


Ignorance of certain subjects is a great part of wisdom
 
Upvote 0 Downvote
its' 2000 other thing cmdshell is doing is also /dir to get the list of files in a directory.
 
Upvote 0 Downvote
Well, that eliminates CLR :-(

And where are these files? On the SQL server? The web server? Somewhere on your network?

Hope this helps,

Alex

Ignorance of certain subjects is a great part of wisdom
 
Upvote 0 Downvote
correct me if I'm wrong about this, but if you ONLY give users permission to run the wrapping sproc, then they can only run that, and not xp_cmdshell directly...

--------------------
Procrastinate Now!
 
Upvote 0 Downvote
Can't really say, just scares me. I've been told there is a way to get directory information without using cmdshell. If someone can tell me how to do this I can get it to work.
 
Upvote 0 Downvote
Check out this thread.

thread183-1355242

- Paul
10qkyfp.gif

- If at first you don't succeed, find out if the loser gets anything.
 
Upvote 0 Downvote
mflancour - I think it scares you for good reason. This really isn't a job for the database. If your web and network security are properly configured, you should be able to do this from your application (not from the database)

Hope this helps,

Alex

Ignorance of certain subjects is a great part of wisdom
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

V
  • Locked
  • Question
xp_cmdshell vs psexec - this SQL server forgets credential to an W10 share
Replies
0
Views
358
Volvere
V
Cpreston
  • Locked
  • Question
Seconds to minutes 2
Replies
5
Views
453
Chris Miller
Chris Miller
peac3
  • Locked
  • Question
fill the gap of hierarchy data
Replies
11
Views
375
Chris Miller
Chris Miller
TheBugSlayer
  • Locked
  • Question
How to make xp_cmdshell use SQL Server's bcp utility instead of Sysbase's 1
Replies
7
Views
446
Nick_Evans1
Nick_Evans1
ahmedsa2018
  • Locked
  • Question
How to enhance query to run faster ?
Replies
0
Views
100
ahmedsa2018
ahmedsa2018

Part and Inventory Search

Sponsor

Back
Top