通過給系統擴展存儲過程xp_sendmail附加參數,用戶就可以獲得存取服務器上的文件的權限。通過一個方法你就可以保護xp_sendmail:把它封裝倒一個存儲過程中去,使附加參數非public。許可受這個存儲過程的保護,把許可從xp_sendmail中取消。
下面基本的工作模板,你用它就可以保護xp_sendmail:
use master
go
-- =============================================
-- Create procedure basic template
-- =============================================
-- creating the store procedure
IF EXISTS (SELECT name
FROM sysobjects
WHERE name = N'sp_sendmail'
AND type = 'P')
DROP PROCEDURE sp_sendmail
GO
CREATE PROCEDURE sp_sendmail
@in_recipIEnts VARCHAR(8000) = '
,@in_message VARCHAR(8000)= 'test'
,@in_query VARCHAR(8000)= ''
,@in_copy_recipIEnts VARCHAR(8000)= NULL
,@in_blind_copy_recipIEnts VARCHAR(8000)= NULL
,@in_subject VARCHAR(80)= 'test'
,@in_type VARCHAR(80)= NULL
,@in_attach_results VARCHAR(80)= NULL
,@in_no_output VARCHAR(8)= NULL
,@in_no_header VARCHAR(8)= NULL
,@in_width INT = 10
,@in_separator VARCHAR(8)= NULL
,@in_echo_error VARCHAR(8000)= NULL
,@in_set_user VARCHAR(256) = NULL
,@in_dbuse VARCHAR(256) = NULL
AS
DECLARE @attachments VARCHAR(8000)
SET @in_recipIEnts = '
exec master..xp_sendmail
@recipients = @in_recipIEnts
,@message = @in_message
,@query = @in_query
,@attachments = ' '
,@copy_recipients = @in_copy_recipIEnts
,@blind_copy_recipients = @in_blind_copy_recipIEnts
,@subject = @in_subject
,@type = @in_type
,