Can "SQL Injection Attack" happen to Microsoft Access 2000?RSS

12 replies

Last post May 06, 2006 07:27 AM by jeff@zina.com

  • Can "SQL Injection Attack" happen to Microsoft Access 2000?

    May 04, 2006 12:08 PM|aspnet127|LINK

    I have a ASP/VB Scripts login page with Access 2000 as backend. I read several articles about the SQL Injection Attack on SQL Server. But none of them talked about anything specific to Access. I found that using "--" or ";" can not inject SQL to my login processing code. But I can not rule out all the possibilities. Can "SQL Injection Attack" happen to Microsoft Access 2000? Thanks.
  • Re: Can "SQL Injection Attack" happen to Microsoft Access 2000?

    May 04, 2006 02:31 PM|wwwcoder|LINK

    A SQL injection attack can happen whether or not the database is SQL, Access, Oracle, MySQL, or whatever. The idea behind this type of attack is when you use SQL strings within your code like:

    myVar = txtValue.Text

    mySQL = "SELECT * FROM MyTable WHERE FieldName = '" & myVar & "'"

    This string is then passed to your backend database regardless of the vendor or type. If the attacker enters in valid SQL code into your string. This occurs when you allow data to be entered directly by the user as in the example above where we have a textbox and the attacker then enters in some SQL code. This is then passed in the code behind to your database. As you can see, it doesn't matter if the database is SQL, Access or whatever, it is still passing the string to your database. In addition, this type of attack is not only independent of the database, but it is also independent of the code being used. This attack can occur using ASP.NET, ASP classic, PHP, or anywhere you're passing SQL strings to a backend database.

  • Re: Can "SQL Injection Attack" happen to Microsoft Access 2000?

    May 04, 2006 03:11 PM|aspnet127|LINK

    Thanks for the reply. I follow the example code in this link try to attack myself.

    http://www.sitepoint.com/article/sql-injection-attacks-safe

    but, for example I used correct Login ID and password with     ' or 1=1 --

    It is unable to login to my account. This makes me think that Access does not teat words after "--" as comments. Am I right? So what would be "--" equivalent symbol to mark comments in Access SQL?

  • Re: Can "SQL Injection Attack" happen to Microsoft Access 2000?

    May 04, 2006 04:10 PM|jeff@zina.com|LINK

    That's correct, Access has different syntax on some items.  But SQL Injection can still occur.  Parameterized queries are probably the best solution, or in Access a saved parameter query.  Googling "Bob Barrows saved parameter query" will get you all kinds of links.  Bob is a Microsoft MVP who is very fluent in Access and a great resource for stopping injection attacks in Access.

    Jeff

    Have you Binged a solution before posting?
  • Re: Can "SQL Injection Attack" happen to Microsoft Access 2000?

    May 04, 2006 04:11 PM|wwwcoder|LINK

    That really doesn't mean anything. It could mean you're trapping single quotes in the code and doubling up on them. It has nothing to do with Access, it has to do with how your code is handling the single quotes in the code behind. It may be that your code is using parameterized queries or whatever. Without seeing the code, I don't know. You're using one example of SQL injection pulled from an article. SQL injection is more than just that. They could enter in just  ' or '1'='1 without the "--" and the statement would evaluate to true in Access.

    Here's an example of some Access SQL Injection where you could actually shell out to the command line:

    |SHELL("cmd.exe /c dir > c:\test.txt")|

    All it takes is a knowledge of the underlying database language, and you can basically do anything you want.
  • Re: Can "SQL Injection Attack" happen to Microsoft Access 2000?

    May 04, 2006 04:12 PM|jeff@zina.com|LINK

    Oh, and as an afterthoyught, you should always use parameterized SQL or saved parameter queries/stored procedures in your code.  At the least you can improve data integrity when you only allow data you want in, and at it's best you prevent the majority of common attacks.

    Jeff

    Have you Binged a solution before posting?
  • Re: Can "SQL Injection Attack" happen to Microsoft Access 2000?

    May 04, 2006 04:38 PM|aspnet127|LINK

    My sql statement is just like that shown in the article. I tried other examples in the article and they passed as well. No injection occurs. My app is a Classic ASP / VB Script application. There is no code-behind (.NET thing) involved and Access don't support stored procedures. To be on the safer side, let me check out Bob's resource to see if I can use parameterized SQL with VBScripts. I will be back.
  • Re: Can "SQL Injection Attack" happen to Microsoft Access 2000?

    May 04, 2006 06:02 PM|tomkmvp|LINK

    aspnet127

    ... and Access don't support stored procedures.

    Not literally, but you can use stored queries ...
    http://www.aspfaq.com/show.asp?id=2214

  • Re: Can "SQL Injection Attack" happen to Microsoft Access 2000?

    May 05, 2006 03:23 PM|aspnet127|LINK

    I followed the Bob Barrows' code sample in the following link.

    http://www.codecomments.com/archive288-2005-3-435418.html

    My parameterized query now work like this.

      sSQL= "SELECT * FROM user WHERE Login_ID = ? and Pass_Code = ?" 
      arParms=array("111","aaa")

     Set conn = CreateObject("ADODB.connection")
     conn.Open myConnectionString
     set cmd=createobject("adodb.command")
     cmd.CommandText=sSQL
     set cmd.ActiveConnection=conn
     Set RecordSet1 = cmd.Execute( ,arParms)

    Now, the code works and I am able to login. But, I am still not sure if Access will convert the parameters into text and make up an ad hoc query to execute. In order words, I don't know what's the difference at run time between ad hoc query and parameterized query. Will my parameterized query shown above guarentee the prevention of sql injection attack? Thanks.

  • Re: Can "SQL Injection Attack" happen to Microsoft Access 2000?

    May 05, 2006 03:35 PM|jeff@zina.com|LINK

    There are no guarantees in life, but you should be more secure.

    Jeff

    Have you Binged a solution before posting?
  • Re: Can "SQL Injection Attack" happen to Microsoft Access 2000?

    May 05, 2006 06:13 PM|aspnet127|LINK

    I think I am trying to understand why using parameters will make it safer. If the password parameter "?" was replaced with injected text such as " 'or 1=1-- " at run time by ADO, it should execute the sql just like an ad hoc text query, and the attack should still occur. I guess I am trying to know what ADO will do differently when it is a parameterized query as compared with the case of an ad hoc text query.
  • Re: Can "SQL Injection Attack" happen to Microsoft Access 2000?

    May 06, 2006 07:18 AM|gbarnett|LINK

    Would URL mapping of some kind not help prevent sql injections, I know its not that good a fix but you would at least conceal you're actions to a point when using url variables as parameters in sql queries.
  • Re: Can "SQL Injection Attack" happen to Microsoft Access 2000?

    May 06, 2006 07:27 AM|jeff@zina.com|LINK

    URL mapping won't make a difference.  HTMLEncode anything you insert into the database would, escaping characters would, paraemterized queries an stored procedures would. Using a less privelegd account for DB access would.  Remove stored procedures that would allow command acces would. But focusing on simply SQL injection won't help you anyway.  The number of sites hacked through SQL injection techniques is minimal compared to every other attack out there.

    Jeff

    Have you Binged a solution before posting?