0

I'm using SQL Server 2008 to store some encrypted information. There are about 5 database tables that have fields with encrypted data. The encryption is done at the server side using Java. My problem is that we also need to view/update this encrypted information. To view/update the encrypted information from database I'm creating a web application that will allow a user to view/update the encrypted information residing in database.

For example lets say a user needs to insert new data into database that contains an encrypted field:

  1. The user will be able to enter an INSERT SQL query in the web application and have the App Server parse the query.

  2. If I find a field that needs to be encrypted then I have to extract that clear text value, encrypt it using Java and then modify the query with the encrypted value.

  3. Execute the modified INSERT query against the database.

Now it will be a pain to parse SQL queries and having to modify them. I'm just wondering if there is an easier way to do this. Has anyone done this before? Are there any tools to facilitate this?

Thing is the database will be installed on client sites, therefore we have to encrypt database fields in order to protect intellectual property. Client has full access to their database, so using SQL Server built in encryption is not a good idea.

Any suggestions appreciated.

JasonMArcher
  • 14,195
  • 22
  • 56
  • 52
Marquinio
  • 4,601
  • 13
  • 45
  • 68
  • Who owns the data in the database? – matt b Jul 12 '11 at 13:48
  • Client owns only generated data from the application. Its an AI application and its configuration is stored in database. If client or anyone has access to its configuration then they can reverse engineer. – Marquinio Jul 12 '11 at 13:53
  • 1
    I think without more info it's a bit difficult to gauge if there's an easier solution. Why do your CLIENTS have to enter SQL queries, for example? (This in itself has "here be dragons" written all over it...) What you've presented seems to be an *implementation* that you don't like, not an actual problem that you need to solve, which potentially has other implementations. Perhaps you can elaborate a bit on What The Thing Is That You Actually Need To Do. – Neil Coffey Jul 12 '11 at 14:21

1 Answers1

2

I would advise against using direct sql statement inputs from web app, here is why

  1. No data validation (No data type help on column for the user)
  2. User error's in input sql typo's (can only be validated on jdbc execute)
  3. Not to mention, It is not the most secure way of doing

If you go the form route you need an add/edit form for the table with all the columns listed as form inputs. You can solve all the above problems and also may be add check box beside each column and making the encryption of the column more configurable.

If you still have reasons for straight sql, I guess you can look at this thread below, If I were you I would parse query my self

SQL parser library for Java

Community
  • 1
  • 1
Prasanna Talakanti
  • 2,354
  • 1
  • 16
  • 16