0

I'm using SQL Server 2008 to store some encrypted information. There are about 5 database tables that have fields with encrypted data. The encryption is done at the server side using Java. My problem is that we also need to view/update this encrypted information. To view/update the encrypted information from database I'm creating a web application that will allow a user to view/update the encrypted information residing in database.

For example lets say a user needs to insert new data into database that contains an encrypted field:

  1. The user will be able to enter an INSERT SQL query in the web application and have the App Server parse the query.

  2. If I find a field that needs to be encrypted then I have to extract that clear text value, encrypt it using Java and then modify the query with the encrypted value.

  3. Execute the modified INSERT query against the database.

Now it will be a pain to parse SQL queries and having to modify them. I'm just wondering if there is an easier way to do this. Has anyone done this before? Are there any tools to facilitate this?

Thing is the database will be installed on client sites, therefore we have to encrypt database fields in order to protect intellectual property. Client has full access to their database, so using SQL Server built in encryption is not a good idea.

Any suggestions appreciated.

Improve this question
3
  • Who owns the data in the database? Commented Jul 12, 2011 at 13:48
  • Client owns only generated data from the application. Its an AI application and its configuration is stored in database. If client or anyone has access to its configuration then they can reverse engineer. Commented Jul 12, 2011 at 13:53
  • 1
    I think without more info it's a bit difficult to gauge if there's an easier solution. Why do your CLIENTS have to enter SQL queries, for example? (This in itself has "here be dragons" written all over it...) What you've presented seems to be an implementation that you don't like, not an actual problem that you need to solve, which potentially has other implementations. Perhaps you can elaborate a bit on What The Thing Is That You Actually Need To Do. Commented Jul 12, 2011 at 14:21

1 Answer 1

Reset to default
2

I would advise against using direct sql statement inputs from web app, here is why

  1. No data validation (No data type help on column for the user)
  2. User error's in input sql typo's (can only be validated on jdbc execute)
  3. Not to mention, It is not the most secure way of doing

If you go the form route you need an add/edit form for the table with all the columns listed as form inputs. You can solve all the above problems and also may be add check box beside each column and making the encryption of the column more configurable.

If you still have reasons for straight sql, I guess you can look at this thread below, If I were you I would parse query my self

SQL parser library for Java

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.