VB.NET Winforms, how to Obfuscate SQL Server Query Code?

Using VB.NET Strong Typed Datasets and/or standard SQL Server Code, is there a way to obfuscate the query so that a SQL statement with multiple table Joins is obfuscated from anyone with access to the SQL Server (reviewing transaction logs, analyzer, etc.)?

1) Assume that the VB.Net Winforms only has access read-only access to the tables (no stored procedure, no "views" access)
2) No LINQ to SQL (too difficult with LEFT/RIGHT joins, and and multiple JOINS)

Essentially, I would like to hide how the tables are joined together, as it has taken a while to get this right.
Who is Participating?
Éric MoreauSenior .Net ConsultantCommented:
If your SQL server is on-premise, don't spend your time doing that. anybody with a profiler will be able to get your query!

If you are using a remote infrastructure, you can have the data in the cloud somewhere and the client could use services to query data. But expect performance issues if you have a lot of data to carry over the network/Internet.
Dirk StraussSenior Full Stack DeveloperCommented:
Have you considered SQL Server Encryption?
You can use encryption in SQL Server for connections, data, and stored procedures.
eeyoAuthor Commented:
Yes, but unfortunately the requirement are that the Winform only has read-only access, i.e. can't modify the database (including setting up encryption)
Dirk StraussSenior Full Stack DeveloperCommented:
Seeing as this is a Winforms app, I would say create parametized stored procs in a DLL and obfuscate the DLL... but the actual query might still pop up in SQL analyzer. So I'm not really sure. Exactly who are you hiding the SQL query text from, and if they can view logs and analyze the SQL server, should you be trying to hide this info from them to begin with? If the server is locked down, then I would look into adding specific permissions to the SQL users to disallow certain actions in the server.

As a developer, your domain is the code and to a certain degree, the database. Does it really matter if the SQL Stored Procedure text is visible in a log file or SQL analyser? As long as sensitive data (the information stored inside the tables) isn't visible over the wire, from a security perspective, you're good.
eeyoAuthor Commented:
Just to summarize (for anyone else who looks at this):  If you are looking to hide your "secret sauce" of how you wrote your SQL query, it looks like there isn't an easy way to obfuscate the SQL code that is sent to the server from anyone with sa access to the server.  You could go more complicated and pull the table data into your .NET winform (or other application) and painfully churn through your own code ...
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.