1

I have an Access database that must connect to Oracle programmatically to create a linked table. The connection string is of the form:

ODBC;Driver={Microsoft ODBC for Oracle};Pwd=<Password>;UID=<User>;Server=<Server>

Currently the login info is hardcoded.

I now have to have the tool connect to different databases. I was going to simply let the user enter the <User>, <Password>, and <Server> and then just concatenate it all together into a single connection string. I'm pretty sure this is SQL Injection safe because the connection doesn't actually exist at this point, but I'm not 100% certain - is this a valid concernt, and if so how would I sanitize these inputs (which come from free-form text fields)?

Improve this question
0

2 Answers 2

Reset to default
2

This is not called SQL Injection because the connection string doesn't allow execution of arbitrary SQL code.

If you are giving users access to the database from the desktop then SQL Injection probably isn't a very relevant concern anyway. Why would anyone bother trying to inject SQL through an application vulnerability when it's much easier for him just to create a connection himself using his valid credentials?

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Besides, what is the worst that could happen? They have a user id, a password, and a server name. With that, they could connect to your database outside of your application and twiddle data to their heart's content. Which would be only what they are allowed to change with the grants you've given their account on the database. If they want to carefully craft a string to drop all tables, and they can do it, it is because you gave them that those rights in the first place. They can do it with any ODBC SQL client.
1

It appears that your concern is valid, as evidenced by the fact that ADO.NET has a set of Connection String Builder classes (though it's more accurate to call it "connection string injection" vs. "SQL injection" since there's no SQL involved). Since you're not using .NET, the next best option is input sanitization and escaping special characters. The MSDN reference on OLEDB connection string syntax states that:

To include values that contain a semicolon, single-quote character, or double-quote character, the value must be enclosed in double quotes.

and

If the value contains both single-quote and double-quote characters, the quote character used to enclose the value must be doubled each time it occurs within the value.

This is a VBScript I put together which attempts to implement the two guidelines above:

Option Explicit

Dim pw, connStr, conn

pw = InputBox("Enter password")

' Sanitize double quotes in the input string
pw = Replace(pw, Chr(34), Chr(34) & Chr(34))

' Notice how pw is surrounded by double quote characters
connStr = "Provider=SQLOLEDB;Data Source=.\SQLEXPRESS;User ID=test_user;Password=" & Chr(34) & pw & Chr(34)

' Test the connection.  We'll get a runtime error if it didn't work
Set conn = CreateObject("ADODB.Connection")
conn.Open connStr
conn.Close
WScript.Echo "OK!"

If my password were app"le'\, the connection string would end up as:

Provider=SQLOLEDB;Data Source=.\SQLEXPRESS;User ID=test_user;Password="app""le'\"

However, this doesn't work for all possible inputs. For example, the test script gives an error when the password contains a double quote before a semicolon. It could be that I'm interpreting the guidelines incorrectly. I'm not sure, but hopefully, this at least gets you started.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.