Remove password node from XML

Question

question

Andomar asked Nov 22, '13

Remove password node from XML

Our database contains logging of XML SOAP messages. The XML contains passwords, like: secret For troubleshooting, we'd like to offer a list of messages. However the password should be filtered out. Is there a way in SQL Server to query XML messages while removing all elements called "password" (preferably regardless of namespace.)

t-sql xml

7

10 |1200

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Kev Riley ♦♦ commented · Nov 22, 2013 at 11:55 AM

To clarify, you want to store the XML unchanged? But remove the password element in querying? Or not store the password element?

0 ·

Andomar commented · Nov 22, 2013 at 12:24 PM

@KevRiley: Storage should remain unchanged, I'd like to remove the password element in querying.

0 ·

Kev Riley ♦♦ commented · Nov 22, 2013 at 01:13 PM

Querying by application, or casual querying by a user using SSMS?

0 ·

Andomar commented · Nov 22, 2013 at 01:19 PM

@KevRiley: By application (we'll have control over the SQL)

0 ·

Kev Riley ♦♦ commented · Nov 22, 2013 at 01:26 PM

In that case why not have the application handle the requirement? (just asking)

0 ·

Andomar commented · Nov 22, 2013 at 02:21 PM

@KevRiley: The application is controlled by other people. They'll read a view/sp from our database.

0 ·

Kev Riley ♦♦ commented · Nov 22, 2013 at 02:25 PM

Fair enough, just thought I'd ask

0 ·

Answer 1 · 2013-11-22T20:00:19Z

Pavel Pawlowski answered Nov 22, '13

The easiest way would be by using XSLT, unfortunately XSLT is not supported in T-SQL XML. But with multiple steps during querying, if the password node is always under specific node location, you can achieve this by using the [**`delete (XML DML)][1]. Lets say, first you retrieve the XML from table into a @xml variable. Then you invoke the **1`delete (XML DML)`** on the variable and finally return the modified XML. Something like the sample below: declare @xml xml --SELECT @xml = xmlField FROM yourTable WHERE .... --Use sample data instead of real one SET @xml = N' secret ' --Modify the XML stored in the @xml varible - remove the node. --If the node doesn't exists, then nothing happens and original xml is returned SET @xml.modify('declare namespace soapenv=" http://www.w3.org/2003/05/soap-envelope"; declare namespace wsse=" http://www.w3.org/2003/05/soap-security"; delete /soapenv:Envelope/soapenv:Header/wsse:Security/wsse:UsernameToken/wsse:Password') SELECT @xml [1]: http://technet.microsoft.com/en-us/library/ms190254.aspx

2

10 |1200

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Andomar commented · Nov 23, 2013 at 04:54 PM

Thanks, it's about 10-30 messages per query, but I could pump them through a temporary table. "delete //*:Password" seems to remove all password elements regardless of namespace.

0 ·

Pavel Pawlowski commented · Nov 23, 2013 at 05:10 PM

Yeah, it depends on your scenario. As you have mentioned, multiple can be passed through temp table and the individual deletion depends on your concrete XML. This was a sample how to achieve tis. Good, that it helped.

0 ·

Answer 2 · 2013-11-22T12:25:16Z

Andomar answered Nov 22, '13

One simple way I've found is to strip out the SOAP header: select scl.Request.query('(//*:Body)[1]') from dbo.LoggingTable However, that would not filter out password elements from the body of the message.

10 |1200

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

question