本文介绍了MS Access-防止在连接字符串中注入SQL的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我有一个Access数据库,该数据库必须以编程方式连接到Oracle以创建链接表.连接字符串的格式为:

I have an Access database that must connect to Oracle programmatically to create a linked table. The connection string is of the form:

ODBC;Driver={Microsoft ODBC for Oracle};Pwd=<Password>;UID=<User>;Server=<Server>

当前登录信息已硬编码.

Currently the login info is hardcoded.

我现在必须使该工具连接到不同的数据库.我只想让用户输入<User><Password><Server>,然后将它们全部连接成一个连接字符串即可.我非常确定这是SQL注入安全的方法,因为此时连接实际上并不存在,但是我不确定100%是否正确-这是一个有效的问题,如果是的话,我将如何清理这些输入(来自自由格式的文本字段)?

I now have to have the tool connect to different databases. I was going to simply let the user enter the <User>, <Password>, and <Server> and then just concatenate it all together into a single connection string. I'm pretty sure this is SQL Injection safe because the connection doesn't actually exist at this point, but I'm not 100% certain - is this a valid concernt, and if so how would I sanitize these inputs (which come from free-form text fields)?

推荐答案

您的担忧似乎是正确的,ADO.NET具有一组连接字符串生成器类(尽管将其称为连接字符串注入"与"SQL注入"更为准确,因为没有SQL涉及).由于您没有使用.NET,因此,下一个最佳选择是输入清理和转义特殊字符.关于OLEDB连接字符串语法状态的 MSDN参考

It appears that your concern is valid, as evidenced by the fact that ADO.NET has a set of Connection String Builder classes (though it's more accurate to call it "connection string injection" vs. "SQL injection" since there's no SQL involved). Since you're not using .NET, the next best option is input sanitization and escaping special characters. The MSDN reference on OLEDB connection string syntax states that:

这是我整理的VBScript,它试图实现上述两个准则:

This is a VBScript I put together which attempts to implement the two guidelines above:

Option Explicit

Dim pw, connStr, conn

pw = InputBox("Enter password")

' Sanitize double quotes in the input string
pw = Replace(pw, Chr(34), Chr(34) & Chr(34))

' Notice how pw is surrounded by double quote characters
connStr = "Provider=SQLOLEDB;Data Source=.\SQLEXPRESS;User ID=test_user;Password=" & Chr(34) & pw & Chr(34)

' Test the connection.  We'll get a runtime error if it didn't work
Set conn = CreateObject("ADODB.Connection")
conn.Open connStr
conn.Close
WScript.Echo "OK!"

如果我的密码是app"le'\,则连接字符串将最终显示为:

If my password were app"le'\, the connection string would end up as:

Provider=SQLOLEDB;Data Source=.\SQLEXPRESS;User ID=test_user;Password="app""le'\"

但是,这不适用于所有可能的输入.例如,当密码在分号之前包含双引号时,测试脚本会给出错误消息.可能是我对准则的解释不正确.我不确定,但希望这至少可以帮助您入门.

However, this doesn't work for all possible inputs. For example, the test script gives an error when the password contains a double quote before a semicolon. It could be that I'm interpreting the guidelines incorrectly. I'm not sure, but hopefully, this at least gets you started.

这篇关于MS Access-防止在连接字符串中注入SQL的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

09-02 00:23