[AccessD] Using ADO and Windows 7 SP1? Be careful!

Drew Wutka DWUTKA at Marlow.com
Thu Mar 31 16:24:10 CDT 2011 

Hmmm, I would be curious as to how that is done.  Actually, the SQL
Insertion issue is due to SQL code having comment capabilities, and
Access SQL doesn't allow comments.

Plus, for this kind of vulnerability, your code has to literally use
client created data directly in an SQL statement, which is a bad habit
no matter what database you are using.

I am curious as to how the .mdb would be setup to allow an 'insertion
attack'.  In the web interfaces I have designed, the backend is not
visible in any way, except for the pages I create.  Part one of that is
to NOT have the .mdb in a visible location on the webserver.  It is
accessible to IIS, but not the user.

Drew

-----Original Message-----
From: accessd-bounces at databaseadvisors.com
[mailto:accessd-bounces at databaseadvisors.com] On Behalf Of Jim Lawrence
Sent: Thursday, March 31, 2011 4:15 PM
To: 'Access Developers discussion and problem solving'
Subject: Re: [AccessD] Using ADO and Windows 7 SP1? Be careful!

Hi Drew:

I have never had any bad experiences from an Access BE web site but
according to one of the trainers from Wintellect, a Microsoft bases
training
company, from which I took a week of lecture course, a few years ago, at
Redmond; he said the an Access BE was very dangerous because it was
prone to
insertion attacked. He said he could hack any Access BE in 5 minutes.

Whether that was true or not I have no idea but I have never used an
Access
BE, for a web site, since. On a pinch I have used MySQL and now MS SQL
Express when no major SQL DB BE is available.

Jim

The information contained in this transmission is intended only for the person or entity 
to which it is addressed and may contain II-VI Proprietary and/or II-VI Business 
Sensitive material. If you are not the intended recipient, please contact the sender 
immediately and destroy the material in its entirety, whether electronic or hard copy. 
You are notified that any review, retransmission, copying, disclosure, dissemination, 
or other use of, or taking of any action in reliance upon this information by persons 
or entities other than the intended recipient is prohibited.

More information about the AccessD mailing list