Yes ... it's called SQL Injection.
I've never been able to get it to work, but I understand it's possible.
Let's say you had a search form with a LastName field for users to
enter text for the search. The embedded SQL might look like this:
strSQL = "SELECT * FROM MyTable WHERE LastName ='" & _
Request("txtLastNameSearch") & "';"
If you enter "Smyth" as the last name, the SQL evaluates to this ...
SELECT * FROM MyTable WHERE LastName ='Smyth';
However, if someone enters this ... "(DELETE FROM MyTable)"
SELECT * FROM MyTable WHERE LastName ='(DELETE FROM MyTable)';
No, that doesn't work, does it. No, I can't get SQL Injection to work
against my embedded sql, but I understand it's possible. I'd love to see
a working example, but a search of Google on SQL Injection only
warned against it. Never did find a working example.
--
Danny J. Lesandrini
dl*********@hotmail.com http://amazecreations.com/datafast
<st******@gmail.com> wrote ...
Hi all,
I wondered if anyone knew if it was possible to delete entries in an MS
Access database table from just entering data into it?
I shall explain :
If you have a web form (in asp.net for example) where you can enter
details into the Access DB like "firstname", and "biography" etc, is it
possible to enter a certain string in this web form which could delete
entries in that table?
Many thanks.