MS Access登录上的SQL注入 [英] SQL Injection on MS Access LogIn
问题描述
我在启动页面上使用带有以下vba代码的MS Access表单,在该表单中,用户输入用户名和密码(如果可以的话)将被转发到包含相关内容的仪表板页面.我当时正在检查代码是否经过SQL注入证明,令我震惊的是,它可以继续登录而没有任何问题!任何人都可以帮助我加强代码以防止sql注入攻击吗?
I am using a MS Access form with the below vba code for my startup page where the user enters a username and password where if its ok, he is forwarded to a dashboard page with relevant content. I was checking to see if the code is SQL Injection proof, and to my horror, it proceeded to log in without a single problem! Could anyone please assist me harden the code to prevent a sql injection attack?
If (Me.UserNameTextBox <> "" And Me.passwordtextbox <> "") Then
hook = """"
SQLCheckUser = ""
SQLCheckUser = SQLCheckUser & " SELECT Id, UserName, UserCode FROM UserTable"
SQLCheckUser = SQLCheckUser & " WHERE UserName = " & hook & me.UserNameTextBox.value & hook
SQLCheckUser = SQLCheckUser & " AND UserPassword = " & hook & me.passwordtextbox.value & hook
SQLCheckUser = SQLCheckUser & " AND IsInactive=0"
'Create RecordSet
Set rst = CurrentDb.OpenRecordset(SQLCheckUser)
'Go to first record
rst.MoveLast
rst.MoveFirst
If rst.RecordCount <> 1 Then
MsgBox "Error 2: Please recheck your login details" 'Error 2 Cant find the user or too many users
rst.Close
Else
'Good LogIn, load the values of the record into rst
ID = rst.Fields("Id")
UserName = rst.Fields("UserName")
UserCode = rst.Fields("UserCode")
IsLoggedIn = True
rst.Close
DoCmd.Close
DoCmd.OpenForm ("Dashboard")
End If
Else
MsgBox "Please recheck your login details" ‘ Either UserName or Password has not been entered
End If
推荐答案
参数化查询用于防止SQL注入漏洞.在您的情况下,您将使用类似的方法
Parameterized queries are used to protect against SQL Injection vulnerabilities. In your case you would use something like this
Dim qdf As DAO.QueryDef
Set qdf = CurrentDb.CreateQueryDef("", _
"PARAMETERS prmUserName TEXT(255), prmUserPassword TEXT(255);" & _
"SELECT Id, UserName, UserCode FROM UserTable" & _
" WHERE UserName = [prmUserName] AND UserPassword = [prmUserPassword] AND IsInactive=0")
qdf!prmUserName = Me.UserNameTextBox.Value
qdf!prmUserPassword = Me.passwordtextbox.Value
Set rst = qdf.OpenRecordset
这篇关于MS Access登录上的SQL注入的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!