Results 1 to 3 of 3
  1. #1
    Super Moderator
    Join Date
    Aug 2001
    Location
    Evergreen, CO, USA
    Posts
    6,623
    Thanks
    3
    Thanked 60 Times in 60 Posts

    Re: Prevent SQL Injection attacks (Any/All)

    <hr>Here's what I don't know: are native applications (whether Access or VB) equally subject to the dangers of SQL Injection? Your thoughts are requested.<hr>
    If by that you mean can a SQL database be hacked using SQL injection, the answer is yes. The technique was originally discovered where users were coming in as a guest account - the database had not been properly secured. I don't believe SQL injection is effective with Access running on a workstation, but I don't know about situations where the Jet engine is used by a web page. Anyone else have an opinion?
    Wendell

  2. #2
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: Prevent SQL Injection attacks (Any/All)

    ASP/ADO is the classic scenario for an attack, so web authors definitely need to take care. What I don't know is whether, for example, our VB-based timekeeping application, which has a query form, could be attacked in the same manner. (It uses an Access95 MDB to store various files.) Validation, validation, validation!

  3. #3
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Prevent SQL Injection attacks (Any/All)

    <P ID="edit" class=small>(Edited by jscher2000 on 27-Aug-04 22:17. Updated link, the article is now available online.)</P>Anyone here do web database development? If you have not previously worried about SQL injection attacks, thinking them too obscure or too hard to understand, you should read the article Stop SQL Injection Attacks Before They Stop You in the September 2004 issue of MSDN Magazine. Paul Litwin gives simple but very disturbing examples of how unexpected user-supplied parameters can reveal way more information that you (or I) ever thought possible. Needless to say I'll be testing my intranet application after hours...

    Here's what I don't know: are native applications (whether Access or VB) equally subject to the dangers of SQL Injection? Your thoughts are requested.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •