IIS 5 & IIS 6
Can "SQL Injection Attack" happen to Microsoft Access 2000?
Last post May 06, 2006 07:27 AM by firstname.lastname@example.org
May 04, 2006 12:08 PM|aspnet127|LINK
May 04, 2006 02:31 PM|wwwcoder|LINK
A SQL injection attack can happen whether or not the database is SQL, Access, Oracle, MySQL, or whatever. The idea behind this type of attack is when you use SQL strings within your code like:
myVar = txtValue.Text
mySQL = "SELECT * FROM MyTable WHERE FieldName = '" & myVar & "'"
This string is then passed to your backend database regardless of the vendor or type. If the attacker enters in valid SQL code into your string. This occurs when you allow data to be entered directly by the user as in the example above where we have a textbox
and the attacker then enters in some SQL code. This is then passed in the code behind to your database. As you can see, it doesn't matter if the database is SQL, Access or whatever, it is still passing the string to your database. In addition, this type of
attack is not only independent of the database, but it is also independent of the code being used. This attack can occur using ASP.NET, ASP classic, PHP, or anywhere you're passing SQL strings to a backend database.
May 04, 2006 03:11 PM|aspnet127|LINK
Thanks for the reply. I follow the example code in this link try to attack myself.
but, for example I used correct Login ID and password with
' or 1=1 --
It is unable to login to my account. This makes me think that Access does not teat words after "--" as comments. Am I right? So what would be "--" equivalent symbol to mark comments in Access SQL?
May 04, 2006 04:10 PMemail@example.com|LINK
That's correct, Access has different syntax on some items. But SQL Injection can still occur. Parameterized queries are probably the best solution, or in Access a saved parameter query. Googling "Bob Barrows saved parameter query" will get you all kinds
of links. Bob is a Microsoft MVP who is very fluent in Access and a great resource for stopping injection attacks in Access.
May 04, 2006 04:11 PM|wwwcoder|LINK
May 04, 2006 04:12 PMfirstname.lastname@example.org|LINK
Oh, and as an afterthoyught, you should always use parameterized SQL or saved parameter queries/stored procedures in your code. At the least you can improve data integrity when you only allow data you want in, and at it's best you prevent the majority of
May 04, 2006 04:38 PM|aspnet127|LINK
May 04, 2006 06:02 PM|tomkmvp|LINK
... and Access don't support stored procedures.
Not literally, but you can use stored queries ...
May 05, 2006 03:23 PM|aspnet127|LINK
I followed the Bob Barrows' code sample in the following link.
My parameterized query now work like this.
sSQL= "SELECT * FROM user WHERE Login_ID = ? and Pass_Code = ?"
Set conn = CreateObject("ADODB.connection")
Set RecordSet1 = cmd.Execute( ,arParms)
Now, the code works and I am able to login. But, I am still not sure if Access will convert the parameters into text and make up an ad hoc query to execute. In order words, I don't know what's the difference at run time between ad hoc query and parameterized
query. Will my parameterized query shown above guarentee the prevention of sql injection attack? Thanks.
May 05, 2006 03:35 PMemail@example.com|LINK
There are no guarantees in life, but you should be more secure.
May 05, 2006 06:13 PM|aspnet127|LINK
May 06, 2006 07:18 AM|gbarnett|LINK
May 06, 2006 07:27 AMfirstname.lastname@example.org|LINK
URL mapping won't make a difference. HTMLEncode anything you insert into the database would, escaping characters would, paraemterized queries an stored procedures would. Using a less privelegd account for DB access would. Remove stored procedures that
would allow command acces would. But focusing on simply SQL injection won't help you anyway. The number of sites hacked through SQL injection techniques is minimal compared to every other attack out there.