VB.NET Winforms, how to Obfuscate SQL Server Query Code?

Using VB.NET Strong Typed Datasets and/or standard SQL Server Code, is there a way to obfuscate the query so that a SQL statement with multiple table Joins is obfuscated from anyone with access to the SQL Server (reviewing transaction logs, analyzer, etc.)?

1) Assume that the VB.Net Winforms only has access read-only access to the tables (no stored procedure, no "views" access)
2) No LINQ to SQL (too difficult with LEFT/RIGHT joins, and and multiple JOINS)

Essentially, I would like to hide how the tables are joined together, as it has taken a while to get this right.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dirk StraussSenior Full Stack DeveloperCommented:
Have you considered SQL Server Encryption?
You can use encryption in SQL Server for connections, data, and stored procedures.
eeyoAuthor Commented:
Yes, but unfortunately the requirement are that the Winform only has read-only access, i.e. can't modify the database (including setting up encryption)
Dirk StraussSenior Full Stack DeveloperCommented:
Seeing as this is a Winforms app, I would say create parametized stored procs in a DLL and obfuscate the DLL... but the actual query might still pop up in SQL analyzer. So I'm not really sure. Exactly who are you hiding the SQL query text from, and if they can view logs and analyze the SQL server, should you be trying to hide this info from them to begin with? If the server is locked down, then I would look into adding specific permissions to the SQL users to disallow certain actions in the server.

As a developer, your domain is the code and to a certain degree, the database. Does it really matter if the SQL Stored Procedure text is visible in a log file or SQL analyser? As long as sensitive data (the information stored inside the tables) isn't visible over the wire, from a security perspective, you're good.
Éric MoreauSenior .Net ConsultantCommented:
If your SQL server is on-premise, don't spend your time doing that. anybody with a profiler will be able to get your query!

If you are using a remote infrastructure, you can have the data in the cloud somewhere and the client could use services to query data. But expect performance issues if you have a lot of data to carry over the network/Internet.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
eeyoAuthor Commented:
Just to summarize (for anyone else who looks at this):  If you are looking to hide your "secret sauce" of how you wrote your SQL query, it looks like there isn't an easy way to obfuscate the SQL code that is sent to the server from anyone with sa access to the server.  You could go more complicated and pull the table data into your .NET winform (or other application) and painfully churn through your own code ...
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Visual Basic.NET

From novice to tech pro — start learning today.