Yes ... it's called SQL Injection.
I've never been able to get it to work, but I understand it's possible.
Let's say you had a search form with a LastName field for users to
enter text for the search. The embedded SQL might look like this:
strSQL = "SELECT * FROM MyTable WHERE LastName ='" & _
Request("txtLastNameSearch") & "';"
If you enter "Smyth" as the last name, the SQL evaluates to this ...
SELECT * FROM MyTable WHERE LastName ='Smyth';
However, if someone enters this ... "(DELETE FROM MyTable)"
SELECT * FROM MyTable WHERE LastName ='(DELETE FROM MyTable)';
No, that doesn't work, does it. No, I can't get SQL Injection to work
against my embedded sql, but I understand it's possible. I'd love to see
a working example, but a search of Google on SQL Injection only
warned against it. Never did find a working example.
--
Danny J. Lesandrini
dlesandrini@hotmail.com http://amazecreations.com/datafast
<stokefan@gmail.com> wrote ...[color=blue]
> Hi all,
>
> I wondered if anyone knew if it was possible to delete entries in an MS
> Access database table from just entering data into it?
>
> I shall explain :
>
> If you have a web form (in asp.net for example) where you can enter
> details into the Access DB like "firstname", and "biography" etc, is it
> possible to enter a certain string in this web form which could delete
> entries in that table?
>
> Many thanks.
>[/color]
