[helmut schmidt]
| In MSSQL I will terminate with -- but this does not work in MS
| Access. Can someone confirm that SQL injection is feasible with MS
| Access database and what is the correct comment character to use.
I have no idea about the comment character(s) (if any) in Access, but
I just want to point out that you can accomplish several things
without commenting out parts of the SQL. Example (using boolean
operator priority rules) follows:
Let's say the program contains the following SQL to do login of users
(untested):
"SELECT * FROM user WHERE name='" & name & "' AND pwd='" & pwd & "'"
If you know there is a user "john" on the system, you could normally
log in without a password using the following (no password):
name: john' --
pwd:
If you don't know the comment character(s), you can abuse the fact
that boolean operators have priority rules that say that AND should be
performed before OR. Try the following (no password again):
name: john' OR 'a'='a
pwd:
The following would be sent to the database:
SELECT * FROM user WHERE name='john' OR 'a'='a' AND pwd=''
---------------
Now the database would perform the AND part first. This part fails no
matter what expression you insert, as the password does not match.
That doesn't matter, as the only requirements for an OR to succeed is
that at least one of the operands evaluates to TRUE. The name part
will be true for an existing user, and you have thus gained access
without a password and without comment character(s).
Sverre.
--
shhat_private Play my free Nerd Quiz at
http://shh.thathost.com/ http://nerdquiz.thathost.com/
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Wed Nov 28 2001 - 15:48:18 PST