MS Access - prevent SQL injection in connection string_问答_开发者

MS Access - prevent SQL injection in connection string

开发者 https://www.devze.com 2023-02-08 10:04 出处：网络

I have an Access database that must connect to Oracle programmatically to create a linked table. The connection string is of the form:

ODBC;Driver={Microsoft ODBC for Oracle};Pwd=<Password>;UID=<User>;Server=<Server>

Currently the login info is hardcoded.

I now have to have the tool connect to different databases. I was going to simply let the user enter the <User>, <Password>, and <Server> and then just concatenate it all together into a single connection 开发者_运维百科string. I'm pretty sure this is SQL Injection safe because the connection doesn't actually exist at this point, but I'm not 100% certain - is this a valid concernt, and if so how would I sanitize these inputs (which come from free-form text fields)?

This is not called SQL Injection because the connection string doesn't allow execution of arbitrary SQL code.

If you are giving users access to the database from the desktop then SQL Injection probably isn't a very relevant concern anyway. Why would anyone bother trying to inject SQL through an application vulnerability when it's much easier for him just to create a connection himself using his valid credentials?

It appears that your concern is valid, as evidenced by the fact that ADO.NET has a set of Connection String Builder classes (though it's more accurate to call it "connection string injection" vs. "SQL injection" since there's no SQL involved). Since you're not using .NET, the next best option is input sanitization and escaping special characters. The MSDN reference on OLEDB connection string syntax states that:

To include values that contain a semicolon, single-quote character, or double-quote character, the value must be enclosed in double quotes.

and

If the value contains both single-quote and double-quote characters, the quote character used to enclose the value must be doubled each time it occurs within the value.

This is a VBScript I put together which attempts to implement the two guidelines above:

Option Explicit

Dim pw, connStr, conn

pw = InputBox("Enter password")

' Sanitize double quotes in the input string
pw = Replace(pw, Chr(34), Chr(34) & Chr(34))

' Notice how pw is surrounded by double quote characters
connStr = "Provider=SQLOLEDB;Data Source=.\SQLEXPRESS;User ID=test_user;Password=" & Chr(34) & pw & Chr(34)

' Test the connection.  We'll get a runtime error if it didn't work
Set conn = CreateObject("ADODB.Connection")
conn.Open connStr
conn.Close
WScript.Echo "OK!"

If my password were app"le'\, the connection string would end up as:

Provider=SQLOLEDB;Data Source=.\SQLEXPRESS;User ID=test_user;Password="app""le'\"

However, this doesn't work for all possible inputs. For example, the test script gives an error when the password contains a double quote before a semicolon. It could be that I'm interpreting the guidelines incorrectly. I'm not sure, but hopefully, this at least gets you started.