Microsoft Access SQL 注入 [英] Microsoft Access SQL Injection

问题描述

我需要修复分配给我们维护的非 IT 应用程序中的一些安全问题.它位于 Microsoft Access 前端(SQL Server 后端).

I need to fix some security issues in a non-IT app that we were assigned to maintain. It's in Microsoft Access front-end (SQL Server back-end).

有谁知道是否可以通过 Microsoft Access 控件的 RecordSource 或 RowSource 属性进行 SQL 注入?例如，如果我将列表框的记录源设置为

Does anyone know if SQL Injection can be done via the RecordSource or RowSource property of Microsoft Access controls? For example, if I set a listbox's recordsource to

Me.SomeListBox.Recordsource = 'SELECT * FROM SomeTable WHERE SomeField = ''' &Me.txtSomeTextBox &'''.

我不确定微软是否为这些属性内置了预防措施，所以我想知道我是否应该通过清理功能运行 Me.txtSomeTextBox.

I'm not sure if Microsoft has built in prevention or not for those properties so I'm wondering if I should be running that Me.txtSomeTextBox through a cleaning function.

这当然是一个快速修复……今年晚些时候，该应用程序将重新设计并从 Access 中迁移出来(是的！).

This is of course a quick fix... the application is going to be redesigned and migrated out of Access (yay!) later this year.

提前谢谢各位！

推荐答案

如果你在进行字符串连接，你很容易受到攻击.

If you're doing string concatenation, you're vulnerable.

这篇关于Microsoft Access SQL 注入的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！