471,580 Members | 1,639 Online
Bytes | Software Development & Data Engineering Community
Post +

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 471,580 software developers and data experts.

Deleting table entries from MS Access db from just an entry via web form

Hi all,

I wondered if anyone knew if it was possible to delete entries in an MS
Access database table from just entering data into it?

I shall explain :

If you have a web form (in asp.net for example) where you can enter
details into the Access DB like "firstname", and "biography" etc, is it
possible to enter a certain string in this web form which could delete
entries in that table?

Many thanks.

Jan 23 '06 #1
4 1633
Yes ... it's called SQL Injection.

I've never been able to get it to work, but I understand it's possible.

Let's say you had a search form with a LastName field for users to
enter text for the search. The embedded SQL might look like this:

strSQL = "SELECT * FROM MyTable WHERE LastName ='" & _
Request("txtLastNameSearch") & "';"

If you enter "Smyth" as the last name, the SQL evaluates to this ...
SELECT * FROM MyTable WHERE LastName ='Smyth';

However, if someone enters this ... "(DELETE FROM MyTable)"
SELECT * FROM MyTable WHERE LastName ='(DELETE FROM MyTable)';

No, that doesn't work, does it. No, I can't get SQL Injection to work
against my embedded sql, but I understand it's possible. I'd love to see
a working example, but a search of Google on SQL Injection only
warned against it. Never did find a working example.
--

Danny J. Lesandrini
dl*********@hotmail.com
http://amazecreations.com/datafast
<st******@gmail.com> wrote ...
Hi all,

I wondered if anyone knew if it was possible to delete entries in an MS
Access database table from just entering data into it?

I shall explain :

If you have a web form (in asp.net for example) where you can enter
details into the Access DB like "firstname", and "biography" etc, is it
possible to enter a certain string in this web form which could delete
entries in that table?

Many thanks.

Jan 23 '06 #2
Thanks Danny, that is great.

Do you know a simple method of securing against such a type of attack
on an Access database please?

Thanks.

Jan 23 '06 #3
Do a search for SQL Injection at Google Groups on ASP groups and
they'll tell you to move to Stored Procs instead of embedded SQL.

http://groups.google.com/groups?as_q...=2006&safe=off

--

Danny J. Lesandrini
dl*********@hotmail.com
http://amazecreations.com/datafast
<st******@gmail.com> wrote ...
Thanks Danny, that is great.

Do you know a simple method of securing against such a type of attack
on an Access database please?

Thanks.

Jan 23 '06 #4
Thanks very much for your help.

Jan 23 '06 #5

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

3 posts views Thread by Nathan Bloom | last post: by
8 posts views Thread by kaosyeti | last post: by
21 posts views Thread by Johan Tibell | last post: by
3 posts views Thread by 66sprite | last post: by
reply views Thread by XIAOLAOHU | last post: by
reply views Thread by leo001 | last post: by
reply views Thread by lumer26 | last post: by
reply views Thread by Vinnie | last post: by
1 post views Thread by lumer26 | last post: by
reply views Thread by lumer26 | last post: by

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.