Deleting stuff from MS Access db from an entry

steinooo

steinooo

steinooo

Soldato
Joined
31 Dec 2003
Posts
4,698
Location
Stoke on Trent
Hi all,

I wondered if anyone knew if it was possible to delete entries in an MS Access database table from just entering data into it?

I shall explain :

If you have a web form (in asp.net for example) where you can enter details into the Access DB like "firstname", and "biography" etc, is it possible to enter a certain string in this web form which could delete entries in that table?

Many thanks.
 
Quite possibly, dont really want to go into the ins and outs on here, but depending on how the database and application are setup, it is. The term you may want to look for more info on is "Sql Injection".
 
Nope... Not unless the command you built up in the ASP was a DELETE command.

From what you are talking about, you would be using an INSERT command...

sfx
 
stokefan said:
roboffer - thanks, but why the bout of silence? Is it because it's "1337 h4xx0r" material?
Click to expand...
Not really, I mean anyone can Google on it its just not something I want to post information on myself.

Suffice to say it is possible especially with building sql dynamically, and a darn good reason to take advantage of permissions, and procedures should the database provider support it.
 
stokefan said:
OK, well to cut a long story short, I need make provisions to secure a database against such methods (:() so you advise just searching the net for enforcing stronger permissions etc
Click to expand...
Really depends on how the site is setup, and what information is being used as parameters or return types.

eg If you are always returning data by specifying an id, cast the input striaght away which will throw an error is malicous data is found.

eg Check in the strings posted in for instances of update or delete using a common function (Obviously this could be valid depending on the scenario)

Google on SQL Injection and a lot of sites will go through how to prevent it by showing examples.
 
stokefan said:
What do you mean by this sorry?
Click to expand...
eg. This thread.

The ID on the querystring is used to look up the database id for this particular thread. The developer knows that all the page is interested in is that ID, so it could be taken from the querystring and cast to an int. If theres an error, then you know the information is incorrect. Could be an honest mistake, could be a bit more malicous.

Its just basic validation on your information before using it.
 
roboffer said:
Untrue. Its very possible.
Click to expand...
I am not saying it is not possible but it is very unlikely that it will happen to him. Avaoiding SQl Injection is easy as long as you keep your code tight. Even better, use Stored Procedures where possible with web applications.

sfx
 
sfx said:
I am not saying it is not possible but it is very unlikely that it will happen to him. Avaoiding SQl Injection is easy as long as you keep your code tight. Even better, use Stored Procedures where possible with web applications.

sfx
Click to expand...

That's what I was asking, how would I make my code "tight" in your opinion sfx?
 
sfx said:
Nope... Not unless the command you built up in the ASP was a DELETE command.

From what you are talking about, you would be using an INSERT command...

sfx
Click to expand...
sfx said:
I am not saying it is not possible but it is very unlikely that it will happen to him. Avaoiding SQl Injection is easy as long as you keep your code tight. Even better, use Stored Procedures where possible with web applications.

sfx
Click to expand...
Im sorry but you are completely contradicting yourself there, you quite clearly stated it wasnt possible. No if, no buts. It is possible, no matter how unlikely, and it totally depends on the statement in question. It is possible that a delere statement, drop table statment or update can be nested within a select.
 
Ok fair enough...

As I said in my previous post, you should use stored procedures where ever possible in we applications. Also if you search for SQL Injection as roboffer advised you will find guides etc. On how to exploit SQL Injection. I know you probably do not care how to do it, but if you know how to do it you know how to stop it. :)

sfx
 
Last edited:
You must log in or register to reply here.
Back
Top Bottom