Warning: file_get_contents(/data/phpspider/zhask/data//catemap/0/vba/15.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181

Warning: file_get_contents(/data/phpspider/zhask/data//catemap/1/ms-access/4.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
Vba MS Access登录上的SQL注入_Vba_Ms Access_Login_Sql Injection - Fatal编程技术网
Fatal编程技术网
  • vba/
  • Vba MS Access登录上的SQL注入

Vba MS Access登录上的SQL注入

vba ms-access login

Vba MS Access登录上的SQL注入,vba,ms-access,login,sql-injection,Vba,Ms Access,Login,Sql Injection,我正在使用带有以下vba代码的MS Access表单作为我的启动页面,在该页面中,用户输入用户名和密码,如果确定,则会将其转发到包含相关内容的仪表板页面。我正在检查代码是否是SQL注入的证明,令我恐惧的是,它继续登录,没有任何问题!有人能帮我强化代码以防止sql注入攻击吗 If (Me.UserNameTextBox <> "" And Me.passwordtextbox <> "") Then hook = """" SQLCheckUser

我正在使用带有以下vba代码的MS Access表单作为我的启动页面,在该页面中,用户输入用户名和密码,如果确定,则会将其转发到包含相关内容的仪表板页面。我正在检查代码是否是SQL注入的证明,令我恐惧的是,它继续登录,没有任何问题!有人能帮我强化代码以防止sql注入攻击吗

If (Me.UserNameTextBox <> "" And Me.passwordtextbox <> "") Then    
        hook = """"
SQLCheckUser = ""
SQLCheckUser = SQLCheckUser & " SELECT Id, UserName, UserCode FROM UserTable"
SQLCheckUser = SQLCheckUser & " WHERE UserName = " & hook & me.UserNameTextBox.value & hook
SQLCheckUser = SQLCheckUser & " AND UserPassword = " & hook & me.passwordtextbox.value & hook
SQLCheckUser = SQLCheckUser & " AND IsInactive=0"

'Create RecordSet
   Set rst = CurrentDb.OpenRecordset(SQLCheckUser)

'Go to first record
    rst.MoveLast
    rst.MoveFirst

    If rst.RecordCount <> 1 Then
        MsgBox "Error 2: Please recheck your login details" 'Error 2 Cant find the user or too many users
        rst.Close
           Else
'Good LogIn, load the values of the record into rst   
    ID = rst.Fields("Id")
    UserName = rst.Fields("UserName")
    UserCode = rst.Fields("UserCode")
    IsLoggedIn = True
    rst.Close

     DoCmd.Close
     DoCmd.OpenForm ("Dashboard")

    End If
   Else
MsgBox "Please recheck your login details" ‘ Either UserName or Password has not been entered
End If

如果(Me.UserNameTextBox“”和Me.passwordtexbox“”),则
hook=“”“
SQLCheckUser=“”
SQLCheckUser=SQLCheckUser&“从UserTable中选择Id、用户名、用户代码”
SQLCheckUser=SQLCheckUser&“WHERE UserName=“&hook&me.UserNameTextBox.value&hook
SQLCheckUser=SQLCheckUser&“和UserPassword=“&hook&me.passwordtextbox.value&hook
SQLCheckUser=SQLCheckUser&“和IsInactive=0”
'创建记录集
Set rst=CurrentDb.OpenRecordset(SQLCheckUser)
“去第一张唱片
rst.MoveLast
rst.MoveFirst
如果rst.RecordCount为1,则
MsgBox“错误2:请重新检查您的登录详细信息”'错误2找不到用户或用户太多
rst.关闭
其他的
'良好的登录,将记录的值加载到rst中
ID=rst.字段(“ID”)
用户名=rst.Fields(“用户名”)
UserCode=rst.Fields(“UserCode”)
IsLoggedIn=True
rst.关闭
文件关闭
DoCmd.OpenForm(“仪表板”)
如果结束
其他的
MsgBox“请重新检查您的登录详细信息”'未输入用户名或密码
如果结束
参数化查询用于防止SQL注入漏洞。在你的情况下,你会使用这样的东西

Dim qdf作为DAO.QueryDef
设置qdf=CurrentDb.CreateQueryDef(“”_
参数prmUserName TEXT(255),prmUserPassword TEXT(255);&_
“从UserTable中选择Id、用户名和用户代码”_
“其中UserName=[prmUserName]和UserPassword=[prmUserPassword]和IsInactive=0”)
qdf!prmUserName=Me.UserNameTextBox.Value
qdf!prmUserPassword=Me.passwordtextbox.Value
Set rst=qdf.OpenRecordset
有效的SQL注入是“或”1“=”1