MS Access登录上的SQL注入 [英] SQL Injection on MS Access LogIn

查看:83
本文介绍了MS Access登录上的SQL注入的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我在启动页面上使用带有以下vba代码的MS Access表单,在该表单中,用户输入用户名和密码(如果可以的话)将被转发到包含相关内容的仪表板页面.我当时正在检查代码是否经过SQL注入证明,令我震惊的是,它可以继续登录而没有任何问题!任何人都可以帮助我加强代码以防止sql注入攻击吗?

I am using a MS Access form with the below vba code for my startup page where the user enters a username and password where if its ok, he is forwarded to a dashboard page with relevant content. I was checking to see if the code is SQL Injection proof, and to my horror, it proceeded to log in without a single problem! Could anyone please assist me harden the code to prevent a sql injection attack?

If (Me.UserNameTextBox <> "" And Me.passwordtextbox <> "") Then    
        hook = """"
SQLCheckUser = ""
SQLCheckUser = SQLCheckUser & " SELECT Id, UserName, UserCode FROM UserTable"
SQLCheckUser = SQLCheckUser & " WHERE UserName = " & hook & me.UserNameTextBox.value & hook
SQLCheckUser = SQLCheckUser & " AND UserPassword = " & hook & me.passwordtextbox.value & hook
SQLCheckUser = SQLCheckUser & " AND IsInactive=0"

'Create RecordSet
   Set rst = CurrentDb.OpenRecordset(SQLCheckUser)

'Go to first record
    rst.MoveLast
    rst.MoveFirst

    If rst.RecordCount <> 1 Then
        MsgBox "Error 2: Please recheck your login details" 'Error 2 Cant find the user or too many users
        rst.Close
           Else
'Good LogIn, load the values of the record into rst   
    ID = rst.Fields("Id")
    UserName = rst.Fields("UserName")
    UserCode = rst.Fields("UserCode")
    IsLoggedIn = True
    rst.Close

     DoCmd.Close
     DoCmd.OpenForm ("Dashboard")

    End If
   Else
MsgBox "Please recheck your login details" ‘ Either UserName or Password has not been entered
End If

推荐答案

参数化查询用于防止SQL注入漏洞.在您的情况下,您将使用类似的方法

Parameterized queries are used to protect against SQL Injection vulnerabilities. In your case you would use something like this

Dim qdf As DAO.QueryDef
Set qdf = CurrentDb.CreateQueryDef("", _
        "PARAMETERS prmUserName TEXT(255), prmUserPassword TEXT(255);" & _
        "SELECT Id, UserName, UserCode FROM UserTable" & _
        " WHERE UserName = [prmUserName] AND UserPassword = [prmUserPassword] AND IsInactive=0")
qdf!prmUserName = Me.UserNameTextBox.Value
qdf!prmUserPassword = Me.passwordtextbox.Value
Set rst = qdf.OpenRecordset

这篇关于MS Access登录上的SQL注入的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
其他开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆