Re: Database Security

From: Bob Barrows [MVP] (reb01501_at_NOyahoo.SPAMcom)
Date: 08/10/04 

Date: Mon, 9 Aug 2004 22:01:01 -0400

Chris Hohmann wrote:
> "Bob Barrows [MVP]" <reb01501@NOyahoo.SPAMcom> wrote in message
> news:Oksl32lfEHA.3916@TK2MSFTNGP11.phx.gbl...
>> Maybe you are talking about SQL Injection, to which Accesss isn't
>> really vulnerable, but, look at this:
>>
>>
>> http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23
>> http://www.nextgenss.com/papers/advanced_sql_injection.pdf
>> http://www.nextgenss.com/papers/more_advanced_sql_injection.pdf
>
> Color me confused. I was operating under the impression that Access
> was vulnerable to SQL injection. Can you elaborate?

SQL Injection works due to SQL Server's ability to use comment characters in
T-SQL statements, execute multiple batched statements, and use system and
external stored procedures to perform activities outside of the database.

Access
1. has no comment characters that can be used in sql statements
2. does not have the ability to batch statements: ie, run multiple sql
statements in a single command
3. does not allow user-defined VBA functions to be called in sql statements
executed from external applications.

The most a hacker can do is cause unwanted data to be added to your
database, but normal validation code will prevent most of that.

However, don't take the lack of susceptibility to SQL Injection as an
endorsement for the use of Access databases in web applications. The very
features that cause SQL Server (and other server-based databases) to be
vulnerable to SQL Injection are the features that make it a better choice
for a backend database for web applications.

If the developer never uses dynamic sql, his applications will not be
vulnerable to SQL Injection, and his web applications will be easier to code
(since delimiter problems will disappear).

Bob Barrows 

-- 
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"

Relevant Pages

  • Re: submitted data not updated promptly with ms access
    ... therefore, before writing to the database, i ... using sql injection ... Using an expensive recordset to run a query that does not retrieve ... is what I suspect you want to do, although I don't really know why you wish ...
    (microsoft.public.inetserver.asp.db)
  • Re: Executing PHP files on remote web server
    ... The syntax may be different between programming languages and database engines, but the concept of avoiding SQL injections isn't that different. ... SQL injection from a DBA's perspective is completely different from that of a programmer. ... Quite frankly, while you have good experience in database administration and Unix administration, I see virtually nothing in this which provides the necessary experience for programming. ...
    (comp.lang.php)
  • RE: SQL injection from within a table - is it possible?
    ... I would assume that all parsers would parse the /entire/ sql query ... Suppose your username was "bob", ... Going back to your initial question about a "stored" SQL Injection ... Is it possible to store an SQL injection string into a MSSQL database ...
    (Pen-Test)
  • Re: Executing PHP files on remote web server
    ... The syntax may be different between programming languages and database engines, but the concept of avoiding SQL injections isn't that different. ... SQL injection from a DBA's perspective is completely different from that of a programmer. ... Quite frankly, while you have good experience in database administration and Unix administration, I see virtually nothing in this which provides the necessary experience for programming. ...
    (comp.lang.php)
  • Re: Executing PHP files on remote web server
    ... because you're not familiar with things like SQL injection and other ... may be different between programming languages and database engines, ... Unix administration has NOTHING to do with any of this. ... the necessary experience for programming. ...
    (comp.lang.php)