Error Code 850 with PASSWORD parameter

meastlandmeastland Posts: 47
edited August 5, 2011 1:52AM in SQL Backup Previous Versions
Peter,

I just noticed that the value of the PASSWORD parameter shows up in plain text for both the LOG_ONERRORONLY and MAILTO_ONERRORONLY destinations when the SQL Backup command generates an error code of 850. Conversely, for example, when the command generates an error code of 600, the value for the PASSWORD parameter is masked ( PASSWORD = 'XXXXXXXXXX') by the logging mechanism.'

This seems to represent a possible security problem. Also, I would be happy to email the specifics to you directly if that would help.

Regards,

-Mike Eastland

Comments

  • Thanks for your post and I hope you don't mind me replying on Peter's behalf.

    I agree that having the password in the error log probably isn't very safe. However, you can supply the backup password encrypted. e.g.

    PASSWORD = ''<ENCRYPTEDPASSWORD>o5Y6c8LmZGHkzaw=</ENCRYPTEDPASSWORD>''

    This encrypted string can be created when you generate the job script through the GUI. This is also preferable to storing the non encrypted password in the SQL Agent job.
    Chris
  • peteypetey Posts: 2,358 New member
    Patch 6.5.2.6 addresses this issue somewhat. When there is a syntax error, we can't really tell for sure which element represents what, so this is only a best guess as to where the password lies.

    You can download the patch from here:

    ftp://support.red-gate.com/Patches/sql_ ... _5_2_6.zip
    Peter Yeoh
    SQL Backup Consultant Developer
    Associate, Yohz Software
    Beyond compression - SQL Backup goodies under the hood, updated for version 8
Sign In or Register to comment.