none
Can I encrypt an Insert statement being written to a Access database? RRS feed

  • Question

  •  

    I am looking to encrypt an insert statement as it is being written to a MS Access database, I am not sure how to accomplish this, My application is taking information entered by a user and is inserting this information into an access database; which is used by another application thta resides on the users local machine.  These two apps are not constantly talking, only when the insert is about to be performed does the connection get established.  I am using string and file encryption (RSA and Rijndael)  in other locations in the application but am having trouble figuring out how to apply this to an insert into a db, if I can apply this.

     

    string SQLInsert;

    //insert  record

    SQLInsert = "INSERT INTO tablename(" +

    fields to insert to) " +

    "VALUES( data to populate with) ";

    object howMany;

    Connection.Execute(SQLInsert, out howMany, (int)ADODB.ExecuteOptionEnum.adExecuteNoRecords);

     

    What happens is a user clicks an transfer button which sends this information from one app to the other app's database, what I am not sure of is if encrypting the SQLInsert string then trying to decrypt it on connection.execute will even work, if not are there other ways to go about this, any examples or links would be a great help.

     

    Thanks,

     

    Thursday, January 31, 2008 9:38 PM

All replies

  • What exactly are you trying to protect?  It sounds like you want to encrypt the SQL, but somehow want to insert cleartext into the database.  This is a waste of time and effort.  If I've compromised your computer so fully that I can see the SQL commands that it's passing to OLEDB, I can see what's in your database.

     

    (Also, Google "SQL injection" now.)

     

    Saturday, February 2, 2008 9:11 AM
  • I guess I am looking to encrypt the connection that gets established between the application and the Access database, the Select and Insert statements in question do not require any user input therefore I do not think SQL Injection is a problem.

    Monday, February 4, 2008 3:40 PM
  • It is probably a good idea to switch to paramaterized SQL in any case though I have to admit that parameterized SQL in Acess is a little wonky.  You also might use stored procedures, but again, in acess they are a little (lot) wonky.

     

    Encrypting the data and passing encrypted parameters to your stored prcedure would get you some of the way to your goal

    Monday, February 4, 2008 5:47 PM