Non-web SQL Injection

sql-injection excel vba ms-access

There seems to be some hysteria about SQL Injection attacks. Most recently, here

How to return the value in one field based on lookup value in another field

If I'm creating a macro in Excel that connects to an Access database, do I really have to be concerned about SQL injection? It's not on the web, it's used in my office (you guys remember desktops right?). I'm not concerned that my co-workers are going to sabotage me. If they're smart enough to do a SQL injection, aren't they smart enough to crack my add-in password and just change the code?


If you're building SQL in your macro, it's vulnerable to SQL injection. Even if you trust the people who will be using the thing, you should at least watch for the basics, like people trying to put single-quote and semicolon characters into database fields. this isn't so much a security issue in your case as just data validation.


SQL Injection is not just a security threat, it is a very real source of bugs too.

Are you sure that none of your records will ever have an apostophe (') in them?

INSERT INTO NAMES (FIRSTNAME, LASTNAME) VALUES('Jack', 'O'Neill')

In this case, you have a bug even though nobody wanted to crack your system.


you never know when bobby tables is going to use your word macro:

xkcd

Related

Why are Redirect Results not allowed in Child Actions in Asp.net MVC 2
Merging two json in PHP
Return map like 'ok' in Golang on normal functions
Partial generic type inference possible in C#?
How to check variable against 2 possible values?
HTML <select> selected option background-color CSS style
What is wrong with the sum of these two series?
What is the intuition behind short exact sequences of groups; in particular, what is the intuition behind group extensions?
Simply connected manifolds are orientable
Integer solutions to $x^3=y^3+2y+1$?
Order of operations - why are they in the order they're in?
Normal subgroups of infinite symmetric group