MS Access-防止在连接字符串中注入SQL [英] MS Access - prevent SQL injection in connection string

问题描述

我有一个Access数据库，该数据库必须以编程方式连接到Oracle以创建链接表.连接字符串的格式为:

I have an Access database that must connect to Oracle programmatically to create a linked table. The connection string is of the form:

ODBC;Driver={Microsoft ODBC for Oracle};Pwd=<Password>;UID=<User>;Server=<Server>

当前登录信息已硬编码.

Currently the login info is hardcoded.

我现在必须使该工具连接到不同的数据库.我只想让用户输入<User>，<Password>和<Server>，然后将它们全部连接成一个连接字符串即可.我非常确定这是SQL注入安全的方法，因为此时连接实际上并不存在，但是我不确定100％是否正确-这是一个有效的问题，如果是的话，我将如何清理这些输入(来自自由格式的文本字段)?

I now have to have the tool connect to different databases. I was going to simply let the user enter the <User>, <Password>, and <Server> and then just concatenate it all together into a single connection string. I'm pretty sure this is SQL Injection safe because the connection doesn't actually exist at this point, but I'm not 100% certain - is this a valid concernt, and if so how would I sanitize these inputs (which come from free-form text fields)?

推荐答案

您的担忧似乎是正确的，ADO.NET具有一组 MSDN参考

It appears that your concern is valid, as evidenced by the fact that ADO.NET has a set of Connection String Builder classes (though it's more accurate to call it "connection string injection" vs. "SQL injection" since there's no SQL involved). Since you're not using .NET, the next best option is input sanitization and escaping special characters. The MSDN reference on OLEDB connection string syntax states that:

要包含包含一个 分号，单引号字符或 双引号字符，该值必须 用双引号引起来.

To include values that contain a semicolon, single-quote character, or double-quote character, the value must be enclosed in double quotes.

和

如果值包含两个 单引号和双引号 字符，使用的引号字符 括起来的值必须加倍 每次出现在值内时.

If the value contains both single-quote and double-quote characters, the quote character used to enclose the value must be doubled each time it occurs within the value.

这是我整理的VBScript，它试图实现上述两个准则:

This is a VBScript I put together which attempts to implement the two guidelines above:

Option Explicit

Dim pw, connStr, conn

pw = InputBox("Enter password")

' Sanitize double quotes in the input string
pw = Replace(pw, Chr(34), Chr(34) & Chr(34))

' Notice how pw is surrounded by double quote characters
connStr = "Provider=SQLOLEDB;Data Source=.\SQLEXPRESS;User ID=test_user;Password=" & Chr(34) & pw & Chr(34)

' Test the connection.  We'll get a runtime error if it didn't work
Set conn = CreateObject("ADODB.Connection")
conn.Open connStr
conn.Close
WScript.Echo "OK!"

如果我的密码是app"le'\，则连接字符串将最终显示为:

If my password were app"le'\, the connection string would end up as:

Provider=SQLOLEDB;Data Source=.\SQLEXPRESS;User ID=test_user;Password="app""le'\"

但是，这不适用于所有可能的输入.例如，当密码在分号之前包含双引号时，测试脚本会给出错误消息.可能是我对准则的解释不正确.我不确定，但希望这至少可以帮助您入门.

However, this doesn't work for all possible inputs. For example, the test script gives an error when the password contains a double quote before a semicolon. It could be that I'm interpreting the guidelines incorrectly. I'm not sure, but hopefully, this at least gets you started.

这篇关于MS Access-防止在连接字符串中注入SQL的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！