---

的用户有权限通过SQL Mail使用SQL Server的文件吗？SQL Mail和 SQL代理帐号一样运行在相同安全条件下。默认情况下，SQL代理运行在本地系统帐号下。如果用户能存取SQL Server数据库里的系统扩展存储过程xp_sendmail,那么就会有安全漏洞了。

通过给系统扩展存储过程xp_sendmail附加参数，用户就可以获得存取服务器上的文件的权限。通过一个方法你就可以保护xp_sendmail：把它封装倒一个存储过程中去，使附加参数非public。许可受这个存储过程的保护，把许可从xp_sendmail中取消。
下面基本的工作模板，你用它就可以保护xp_sendmail：
[color=#FFFFFF'][/color]

use master
go
-- =============================================
-- Create procedure basic template
-- =============================================
-- creating the store procedure
IF EXISTS (SELECT name
FROM sysobjects
WHERE name = N'sp_sendmail'
AND type = 'P')
DROP PROCEDURE sp_sendmail
GO
CREATE PROCEDURE sp_sendmail
@in_recipients VARCHAR(8000) = '<default email address>'
,@in_message VARCHAR(8000)= 'test'
,@in_query VARCHAR(8000)= ''
,@in_copy_recipients VARCHAR(8000)= NULL
,@in_blind_copy_recipients VARCHAR(8000)= NULL
,@in_subject VARCHAR(80)= 'test'
,@in_type VARCHAR(80)= NULL
,@in_attach_results VARCHAR(80)= NULL
,@in_no_output VARCHAR(8)= NULL
,@in_no_header VARCHAR(8)= NULL
,@in_width INT = 10
,@in_separator VARCHAR(8)= NULL
,@in_echo_error VARCHAR(8000)= NULL
,@in_set_user VARCHAR(256) = NULL
,@in_dbuse VARCHAR(256) = NULL
AS
DECLARE @attachments VARCHAR(8000)
[color=#FFFFFF'][/color]

SET @in_recipients = '<default dba email address>;' @in_recipients
exec master..xp_sendmail
@recipients = @in_recipients
,@message = @in_message
,@query = @in_query
,@attachments = ' '
,@copy_recipients = @in_copy_recipients
,@blind_copy_recipients = @in_blind_copy_recipients
,@subject = @in_subject
,@type = @in_type
,@attach_results = @in_attach_results
,@no_output = @in_no_output
,@no_header = @in_no_header
,@width = @in_width
,@separator = @in_separator
,@echo_error = @in_echo_error
,@set_user = @in_set_user
,@dbuse = @in_dbuse
GO

-- example to execute the store procedure
EXECUTE sp_sendmail
GO

-- example to grant permissions to the store procedure
GRANT EXECUTE ON sp_sendmail TO public
GO
REVOKE EXECUTE ON xp_sendmail TO public
GO