DOWNLOAD THE CODE:
Download the Code 41845.zip

Secrets are always intriguing, and programming back doors—secret entrances into application code—are no different. I'm covering T-SQL back doors lately for several reasons. First, programmers frequently use undocumented features, which you need to be familiar with in case you need to maintain code written by others. Second, some of the undocumented features are useful, and SQL Server might fully support them someday. And third, of course, the subject is exciting. In "T-SQL Back Doors" (February 2004, InstantDoc ID 41044), I started the discussion by looking at back doors related to stored procedures. This month, I continue the subject by delving into back doors involving user-defined functions (UDFs). I must stress again that these undocumented features are unsupported, so I don't recommend using them. Microsoft might change the functionality of undocumented features in future releases of SQL Server or even in a service pack. Let's start with the first UDF back door—creating your own special UDFs.

Special UDFs
Stored procedures whose names are prefixed with sp_ have a supported special functionality: They exist only in the master database, but you can invoke them from any database without prefixing their names with master. Microsoft introduced UDFs in SQL Server 2000 but didn't provide UDF support for this special functionality. Programmers certainly need such functionality, especially for functions that don't access objects in a specific database but instead implement some generic algorithm. One example of a useful generic scalar UDF (a UDF that returns a single value) is a function that removes all occurrences of a certain pattern from a character string. An example of a useful generic table-valued UDF (a UDF that returns a table) is a function that returns a table containing a requested number of consecutive integers. (This UDF is an alternative for a permanent auxiliary table of numbers, which I've used in many previous articles.)

The SQL Server installation program creates several UDFs that feature the special functionality. For example, the scalar function fn_serverid() returns from the sysservers system table the ID for a server name you provide to the function as an argument:

SELECT fn_serverid(server_name)

Besides being able to invoke this system-supplied function from any database without prefixing its name with master, you don't even need to specify the owner, unlike with regular scalar UDFs. For example, you use the following code to execute the table-valued function fn_helpcollations(), which returns a table containing all collation names and their descriptions:

SELECT * FROM ::fn_helpcollations()

Note that to invoke a special table-valued UDF, you must prefix its name with double colons.

   Prev. page   [1] 2 3     next page



You must log on before posting a comment.

If you don't have a username & password, please register now.

Reader Comments

nice one, it must be traducted to an other language like frensh, dautch,...

brik- March 25, 2004

Fantastic! This article helps me tremendously in my DBA and Developer job. Thank you. David

David Nguyen- March 26, 2004

>OPENQUERY() is allowed within a UDF, and because SQL >Server doesn't examine the character string you provided >to the function as an argument, you can use OPENQUERY() to modify data on the linked server. >>You can even refer to your local server as a linked server by turning on the Data Access server option:

Hi. BOL says "Loopback linked servers cannot be used in a distributed transaction." So in this case we can't use UDF's with OPENROWSET inside explicit transaction. But very often we have to do this And it's the bad news :(

GloryEE- March 29, 2004

Thanks to Ben and all those others who delve inside SQL Server to retrieve these nuggets for us.

Si- April 02, 2004

Hi,

This article has been so useful in knowing of the special UDF's and there backdoor in doing DML operations. However this article should have even focussed on the execution of system stored procedures like sp_help, sp_helpdb. Are this special kind of stored procs the same way as special UDF's that can be executed from across databases. If so could you please send me those articles to my emailid mentioned.

Thanks a lot, Sreevani

sreevani- April 12, 2004

The article is realy nice BUT it left me with one opened question. You wrote that there is no way to use the system_function_schema user as the owner of a function and that you investigating the installation script files and dicovered that you need to turn on the allow updates server configuration option to get permission to do so. As far as I know the allow updates server configuration option allows direct changes to system tables so why does it make the option to create functions with system_function_schema allowed, it's not a direct syste, table change (or maybe it is)??

Thanks, Ahuva

yaffa@random-logic.com- December 21, 2005

Article Rating 4 out of 5

Perfect! Just what I was searching for! One possible correction though. You suggest turning on the Data Access server option as follows:

EXEC sp_server option [server_name], 'Data Access', true

I could not get this to work and, on a hunch, rephrased it to:

EXEC sp_serveroption [server_name], 'Data Access', true

...with much better results!

[Itzik: Yes, you are right. It should be sp_serveroption and not sp_server option. Thanks!]

ksbrownjr- June 23, 2008

Article Rating 5 out of 5