SQL injection syntax error when using oledb connection (.NET)

Question

I am trying to do SQL injection to oledb connection and I am getting syntax error when I entering value #.

I can't understand why this is happening because doing: value' or '1'='1 is working.

OleDbConnection Con = new OleDbConnection();
Con.ConnectionString = @"provider=microsoft.ACE.oledb.12.0;data source=" + Server.MapPath("") + "\\database.accdb";

Con.Open();

string sqlstring = "select * from users WHERE myusername = '"+InputUserName.Text+"' AND mypassword ='"+InputPassWord.Text+"'";

OleDbCommand Cmd = new OleDbCommand(sqlstring, Con);
OleDbDataReader dr1 = Cmd.ExecuteReader();

if (dr1.HasRows)
{
    dr1.Read();
    Response.Redirect("connectionSuccesful.aspx");
}
else
    Label1.Text = "not valid username or password";

I also tried: string sqlstring = $"select * from sellers WHERE Myusername = '{InputUserName.Text}' -- AND Mypassword ='{InputPassWord.Text}'"; but it gives me syntax error again. I am using microsoft access database and using oledb reader.

Dont build SQL strings like that. Use Parameters. https://learn.microsoft.com/en-us/dotnet/api/system.data.sqlclient.sqlcommand.parameters?view=dotnet-plat-ext-8.0 — Brad, Apr 13 '23 at 18:18
Is this for Microsoft SQL Server? AFAIK, `#` is not a comment leader in Transact-SQL syntax. See https://learn.microsoft.com/en-us/sql/t-sql/language-elements/comment-transact-sql?view=sql-server-ver16 — Bill Karwin, Apr 13 '23 at 18:19
I am using microsoft access database, it is a project in a course that I am taking and the lecturer asked me to do sql injection in log in page and then make another version of it with parameters. — Ido Shemi, Apr 13 '23 at 18:54
Your syntax in the original code is correct and will accept `#` as part of the values of `InputUserName.Text`` or `InputPassWord.Text`. So, please provide the actual code that fails for you. Also, this is about _concatenating_, not _injection_ - which is another ballgame. — Gustav, Apr 14 '23 at 05:43
What do you want to inject? If you want to do inject new statements (e.g. following the `SELECT` with a `DELETE`), you can't do that in Access, since it only allows one statement at a time. — Erik A, Apr 14 '23 at 10:35

Özgür Güzeldereli · Answer 1 · 2023-04-13T19:01:06.697

0

According to this What does the SQL # symbol mean and how is it used?, the # symbol is used to prefix temporary tables. It is not used to comment the rest of the SQL expression, you should try -- when commenting the rest of the line.

Edit: # is a only used as a comment in MySQL (once again according to the StackOverflow question above)

Edit 2: According to the following question How do I comment SQL code out in Microsoft Access? you cannot have comments in Microsoft Access Database, that is why you are getting a syntax error.

edited Apr 13 '23 at 19:01

answered Apr 13 '23 at 18:22

Özgür Güzeldereli

1,630
7
23

I tried using `value' --` but it still gives me the syntax error. – Ido Shemi Apr 13 '23 at 18:52
@IdoShemi Check my edit about you using the Access Database – Özgür Güzeldereli Apr 13 '23 at 19:01
so is there another way of doing sql injection without commenting – Ido Shemi Apr 13 '23 at 19:14
@IdoShemi yes I would guess that is correct. but I am not exactly an expert on SQL injection so you might have to consult google for that – Özgür Güzeldereli Apr 13 '23 at 19:20

SQL injection syntax error when using oledb connection (.NET)

1 Answers1