0

I'm currently building a system with Ms Access. Since it's important to avoid sql injection, I want to use paramerters as VB.NET too, but I wonder if it could be or not. If so, I would be appreciate if you show me at least the sql statement inserting data from controls to the database using parameters, and If it can't be, would anyone show me the other ways?

I would be appreciate for any recommendation, thanks..

Tepken Vannkorn
  • 9,648
  • 14
  • 61
  • 86
  • 2
    Have you read this post of mine: http://stackoverflow.com/questions/512174/non-web-sql-injection/522382#522382 -- it considers the subject of SQL Injection within Access. VB.NET is not going to be the same, but SQL Injection is generally a web issue, not one that you worry about with a non-web application. – David-W-Fenton Jul 20 '11 at 22:41
  • Even with web, it is not possbile with JET to my knowledge. The problem is the JET (or now ACE) data engine cannot execute multiple sql statements, and thus SQL injection in terms of having a statement be run without this being the intention of the developer IS NOT possible. And I am NOT aware as a result of ANY EXISTING proof of concept or sample in this regards. As noted here you can write code that accepts parameters, but it not going to help you prevent sql injection since it not possible to do when using JET anyway. – Albert D. Kallal Jul 22 '11 at 02:01
  • 2
    Access' database engine is not vulnerable to an injection which attempts to run an additional statement. However something like WHERE text_field = '" & some_text & "'" is vulnerable to an injection using " ' OR '1' ='1" as some_text. – HansUp Jul 22 '11 at 17:39
  • I suppose that could be considered an injection. Even a like parameter would accept an * as a parameter for all records and this would not behave different than a where clause. So, your example does not show you can run sql statements. However, fair is fair - your example does stand up as least of a proof of concept in terms of an injection - well done! – Albert D. Kallal Jul 22 '11 at 18:49
  • 1
    Of course, that's SQL injection, Albert. what if @HansUp's example is used for a username/password? The result would be that your security would be wide open. All tutorials on SQL injection give this kind of exploit as an example. Did you read my post on Access-specific SQL injection? If not, you should read that whole discussion so you're better informed in the future. – David-W-Fenton Jul 22 '11 at 22:44

1 Answers1

5

This INSERT statement declares a Date/Time PARAMETER using a text box "txtStartDate" on an open form named "frmDatePicker", and inserts that value into MyTable.

PARAMETERS [Forms]![frmDatePicker]![txtStartDate] DateTime;
INSERT INTO MyTable ( date_field )
VALUES ([Forms]![frmDatePicker]![txtStartDate]);
HansUp
  • 95,961
  • 11
  • 77
  • 135