By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
454,220 Members | 1,512 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 454,220 IT Pros & Developers. It's quick & easy.

SQL Injection Attack Discussion

Expert 100+
P: 1,287
Since we're talking about filters, make sure you also use a filter for semicolons (at the minimum) on any input that is going directly into an SQL statement to prevent your entire database from being deleted.
See SQL Injection Attack.

Admin Edit.
This discussion was split off from the original thread, which can be found at Force .DefaultValue to be a string.
Jun 4 '09 #1
Share this Question
Share on Google+
16 Replies


NeoPa
Expert Mod 15k+
P: 31,707
I see you're developing mind-reading abilities too now Chip.

I was thinking about bringing that into the thread. Now you've found the link I will add it to my frequently used list. This is certainly something that bears repeating.
Jun 4 '09 #2

FishVal
Expert 2.5K+
P: 2,653
@ChipR
Did anybody perform it successfully in Access?
Jun 4 '09 #3

NeoPa
Expert Mod 15k+
P: 31,707
@FishVal
Are you asking if it's possible to hack into an Access database, or whether anyone has managed to protect an Access database using the techniques suggested?

PS. I will move this to a new thread to avoid swamping the original with this (quite important) discussion.
Jun 4 '09 #4

NeoPa
Expert Mod 15k+
P: 31,707
@FishVal
I've done some checking (assuming you're asking if it's possible to hack in that way) and it appears that Access's syntax checking seems to block any attempts I try, but remember this is most often used via a web interface. In that case (using an Access database simply as a Back-End, it is very likely possible as the syntax checking would not be active.
Jun 4 '09 #5

FishVal
Expert 2.5K+
P: 2,653
I have a strong feeling that Access back-end cannot execute multiple SQL commands.

P.S. Human beings has many problem that other animals don't have, but at least tail curvature by no means threatens us. :D
Jun 4 '09 #6

NeoPa
Expert Mod 15k+
P: 31,707
@FishVal
It wouldn't need to necessarily (although you may well be right).

If some Access SQL were looking for a matching name in an authority table with :
Expand|Select|Wrap|Line Numbers
  1. SELECT 9 AS [AuthLevel]
  2. FROM [tblSecurity]
  3. WHERE [Password]='%ValueHere%'
Assume now that the value entered (to replace %ValueHere%) were :
Expand|Select|Wrap|Line Numbers
  1. ' OR 'A'='A
The real life code would be a little more complicated, but this illustrates the point succinctly I feel.
Jun 4 '09 #7

NeoPa
Expert Mod 15k+
P: 31,707
@FishVal
At the time humans were losing their tails into those vestigial stubs we now have, do you think they weren't worried?!!?
Jun 4 '09 #8

NeoPa
Expert Mod 15k+
P: 31,707
OK. I managed to break into a very basic system.

Assume a table :
Table=[tblSecurity]
Expand|Select|Wrap|Line Numbers
  1. AuthID    AutoNumber  (PK)
  2. AuthName  Text        (Account name)
  3. AuthPW    Text        (password)
  4. AuthCode  Numeric     (payload)
Data is as follows :
Expand|Select|Wrap|Line Numbers
  1. AuthID  AuthName  AuthPW  AuthCode
  2.   1     NeoPa     Ooops     90
  3.   2     Admin     Secret    99
  4.   3     Other     LowLevel   1
Next I ran some code in the immediate window to simulate checking a name and password passed via InputBox() :
Expand|Select|Wrap|Line Numbers
  1. strN=InputBox("Enter Name:") : _
  2. strP=InputBox("Enter PW:") : _
  3. ?DLookup("[AuthCode]", _
  4.          "[tblSecurity]", _
  5.          "[AuthName]='" & strN & "' AND " & _
  6.          "[AuthPW]='" & strP & "'")
The data I entered for strN & strP were as follows :
Expand|Select|Wrap|Line Numbers
  1. Admin
  2. ' OR 'A'='A
The result, of course, was 99. A full break-in at the highest authority level.
Jun 4 '09 #9

FishVal
Expert 2.5K+
P: 2,653
At the time humans were losing their tails into those vestigial stubs we now have, do you think they weren't worried?!!?
Doctors say - there is much stuff in human body which could and should be cut out. Medical purveyed humor ... I hope.
Jun 4 '09 #10

NeoPa
Expert Mod 15k+
P: 31,707
@FishVal
You'll never hear more dodgy or worrying humour than from doctors (unless it's from soldiers of course).
Jun 4 '09 #11

FishVal
Expert 2.5K+
P: 2,653
@NeoPa
Definitely makes sense.

A way to prevent such kind of attack could be preevaluation of entered criteria with some dummy value which will never occur in the table.

Expand|Select|Wrap|Line Numbers
  1. If Eval("'<impossible password>'='" & strP) Then MsgBox "Cheater, run up and kill yourself against wall"
  2.  
Jun 4 '09 #12

FishVal
Expert 2.5K+
P: 2,653
@FishVal
Well. A good example of how one can outsmart himself.
Actually, it is sufficient to replace text delimiters in user input.
...With doubled delimiters for example.
Jun 5 '09 #13

NeoPa
Expert Mod 15k+
P: 31,707
@FishVal
And so we come back full-circle.

The linked article includes a paragraph :
@Frinavale
This assumes quotes of any kind are not acceptable in the string, but doubling them instead allows them in safely.

See Force .DefaultValue to be a string (Post #13) for the code for such a solution.
Jun 5 '09 #14

P: 33
This article is incorrect. SQL doesn't stand for "Structured Query Language". Its official name is Database Lanugage SQL. SQL isn't an acronym. See page XV of SQL by Chris Fehily (ISBN 0321334175).

-Kyle
Jun 5 '09 #15

Expert 100+
P: 1,287
Off topic AND wrong.
Donald D. Chamberlin and Raymond F. Boyce of IBM subsequently created the Structured English Query Language (SEQUEL) to manipulate and manage data stored in System R.[6] The acronym SEQUEL was later changed to SQL because "SEQUEL" was a trademark of the UK-based Hawker Siddeley aircraft company.[7]
Jun 5 '09 #16

P: 33
@ChipR
My apologies. I didn't realize I had migrated away from the article. I guess Chris Fehily is on his own with his claim. Every other SQL book I read agrees with you.

-Kyle
Jun 5 '09 #17

Post your reply

Sign in to post your reply or Sign up for a free account.