Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
Home
Discussion GroupsFormsForms ProgrammingQueriesModules / DAO / VBAReports / PrintingMacrosDatabase DesignSecurityConversionImporting / LinkingSQL Server / ADPMultiuser / NetworkingReplicationSetup / ConfigurationDeveloper ToolkitsActiveX ControlsNew UsersGeneral 1General 2
Access DirectoryToolsTutorialsUser Groups
Related Topics
SQL ServerOther DB ProductsMS OfficeMore Topics ...
MS Access Forum / General 1 / January 2006

Tip: Looking for answers? Try searching our database.

Deleting table entries from MS Access db from just an entry via web form

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
stokefan@gmail.com - 23 Jan 2006 15:05 GMT
Hi all,

I wondered if anyone knew if it was possible to delete entries in an MS
Access database table from just entering data into it?

I shall explain :

If you have a web form (in asp.net for example) where you can enter
details into the Access DB like "firstname", and "biography" etc, is it
possible to enter a certain string in this web form which could delete
entries in that table?

Many thanks.
Reply to this Message
Danny J. Lesandrini - 23 Jan 2006 15:15 GMT
Yes ... it's called SQL Injection.

I've never been able to get it to work, but I understand it's possible.

Let's say you had a search form with a LastName field for users to
enter text for the search.  The embedded SQL might look like this:

strSQL = "SELECT * FROM MyTable WHERE LastName ='" & _
              Request("txtLastNameSearch") & "';"

If you enter "Smyth" as the last name, the SQL evaluates to this ...
  SELECT * FROM MyTable WHERE LastName ='Smyth';

However, if someone enters this ...  "(DELETE FROM MyTable)"
  SELECT * FROM MyTable WHERE LastName ='(DELETE FROM MyTable)';

No, that doesn't work, does it.  No, I can't get SQL Injection to work
against my embedded sql, but I understand it's possible.  I'd love to see
a working example, but a search of Google on SQL Injection only
warned against it.  Never did find a working example.
Signature


Danny J. Lesandrini
dlesandrini@hotmail.com
http://amazecreations.com/datafast

<stokefan@gmail.com> wrote  ...

> Hi all,
>
[quoted text clipped - 9 lines]
>
> Many thanks.
Reply to this Message
stokefan@gmail.com - 23 Jan 2006 15:17 GMT
Thanks Danny, that is great.

Do you know a simple method of securing against such a type of attack
on an Access database please?

Thanks.
Reply to this Message
Danny J. Lesandrini - 23 Jan 2006 15:25 GMT
Do a search for SQL Injection at Google Groups on ASP groups and
they'll tell you to move to Stored Procs instead of embedded SQL.

http://groups.google.com/groups?as_q=sql+injection&num=100&scoring=r&hl=en&as_ep
q=&as_oq=&as_eq=&as_ugroup=*asp*&as_usubject=&as_uauthors=&lr=&as_drrb=q&as_qdr=
&as_mind=1&as_minm=1&as_miny=1981&as_maxd=23&as_maxm=1&as_maxy=2006&safe=off

Signature

Danny J. Lesandrini
dlesandrini@hotmail.com
http://amazecreations.com/datafast

<stokefan@gmail.com> wrote  ...

> Thanks Danny, that is great.
>
> Do you know a simple method of securing against such a type of attack
> on an Access database please?
>
> Thanks.
Reply to this Message
stokefan@gmail.com - 23 Jan 2006 15:27 GMT
Thanks very much for your help.
Reply to this Message
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.