~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From: "Graphfixz" <[EMAIL PROTECTED]>
Subject: RE: SQL query
: if I am not mistaken doesn't 'SQL Injection' only work on SQL and not
really
: a threat with Access?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Firstly there are more DBMSes out there that just SQL Server and Access
(BTW, SQL is a language, not a DBMS). :-)
Secondly, the Jet OLEDB Provider doesn't support more than 1 query at time,
which prevents appending extra INSERT queries to an existing query BUT
there's more to SQL Injection that just appending extra queries:
You have something like:
strSQL = _
"SELECT UserID " & _
"FROM Users " & _
"WHERE UserName = '" & Request.Form("txtUserName") & "' "
"AND UserPassword = '" & Request.Form("txtPassword") & "'"
and I put in:
' OR 1=1
for the username and password. Your SQL statement becomes:
SELECT UserID FROM Users WHERE UserName = '' OR 1=1 AND UserPassword = '' OR
1=1
which is always true isn't it? Also, you need to be aware of the case where
users can select more data from the database than you want to give them
Cheers
Ken
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From: "Graphfixz" <[EMAIL PROTECTED]>
Subject: RE: SQL query
: if I am not mistaken doesn't 'SQL Injection' only work on SQL and not
really
: a threat with Access?
:
: -----Original Message-----
: From: Andrew Zetterman [mailto:AZetterman@;ACMCentral.com]
: Sent: Wednesday, November 06, 2002 7:44 AM
: To: ActiveServerPages
: Subject: RE: SQL query
:
:
: I posted the below answer...
:
: > strUser = Replace(strUser,"'","''")
: > sqlstmt = "SELECT * from tbluser WHERE User = '" & strUser & "'"
:
: Of course I didn't explain why...
:
: Andrew
:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
---
You are currently subscribed to activeserverpages as: [email protected]
To unsubscribe send a blank email to [EMAIL PROTECTED]
