Hacking a Form

Cotswold

Cotswold

Well-known member
Local time
Today, 00:46
Joined
Dec 31, 2020
Messages
921
Whilst a hacker could view memory variables from a running accde application, does anyone think it is possible to see the value of a hidden field on an open form? Whether the form itself is hidden, or not.
 
Depends on how it is hidden, but it WOULD require the person to somehow make that form go into design mode so the "Hidden" property could be altered. The problem with answering that question with any certainty is that the code behind-the-scenes in Access is not open-sourced and has not been published. Therefore it is hard for us to know whether "Hidden" means that the field/control is really there or whether hiding the control skips it entirely.
 
Thanks for that TheDocMan.
I guessed that as a hacker wouldn't know form, or field names, they couldn't read a value. But they are an ingenious and persistent bunch.
 
Cotswold said:
Thanks for that TheDocMan.
I guessed that as a hacker wouldn't know form, or field names, they couldn't read a value. But they are an ingenious and persistent bunch.
Click to expand...

or could they?

Code: 
    Dim f As Variant
    Dim Cs As Variant

    For Each f In CurrentProject.AllForms
        Debug.Print f.Name, f.IsLoaded
        
        On Error Resume Next
        For Each Cs In Forms(f.Name).Controls
            Debug.Print f.Name, Cs.ControlSource, Cs.Value
        Next
        
    Next
 
@moke123 Can you run that code from an external database against an already executed and running compiled ACCDE?
 
Code: 
Sub test_it()
    Dim oAcc As Access.Application
    Dim f As Variant
    Dim Cs As Variant

    Set oAcc = GetObject("X:\AnyWhere\Your.accde")    ' access to open application, no hack
    With oAcc
        For Each f In .CurrentProject.AllForms
            Debug.Print f.Name, f.IsLoaded

            On Error Resume Next
            For Each Cs In f.Controls
                Debug.Print f.Name, Cs.ControlSource, Cs.Value
            Next
        Next
    End With
   
End Sub
 
No. I like to write from abstraction, and I'm happy when it works anyway.
@Cotswold has a DB where he wants to consider access from the outside.
 
@ebs17 Thanks for that.....no hack indeed but it makes me a little hacked off!
@CJ_London yep, on a quick test it did appear to work. I hadn't thought of this method until ebs17's post. I was looking to see if the form variables could be visible by a 3rd party and stop it.

Can't quite recall but I seem to think that you can prevent an accde from being run in this way. So when it is opened it errors out and closes down.
 
Last edited:
@Cotswold
You may be thinking of the Application.UserControl property
www.isladogs.co.uk

ApplicationUserControl

This shows how the UserControl property can be used to restrict how an application can be opened. One line of code is required in the Form_Load event of the startup form or an autoexec macro.
www.isladogs.co.uk www.isladogs.co.uk

There are of course ways of circumventing that, but it does add a bit more security.

@moke123
In your code from post #5, why did you define f and Cs as variants rather than Access.Form and Control respectively?
 
Last edited:
Code: 
If Application.UserControl = False Then Application.Quit
To do something like this, you need a triggering event.
The test procedure above does not touch on such an event.
 
isladogs said:
@moke123
In your code from post #5, why did you define f and Cs as variants rather than Access.Form and Control respectively?
Click to expand...
because I'm at work , in a hurry, and just looking to see if you could get the values on a hidden form.

we're not all retired ya know.:)
 
ebs17 said:
Code: 
If Application.UserControl = False Then Application.Quit
To do something like this, you need a triggering event.
The test procedure above does not touch on such an event.
Click to expand...

Just tested the code in post #8 using an ACCDB file. The code was blocked at the GetObject line

1673985330196.png
 
Just tested the code ...
Click to expand...
... on an open DB?
Or on a closed DB that calls its startup form that contains a Form_Load procedure that calls a specific MsgBox?
Code: 
Private Sub Form_Load()
    If Application.UserControl Then
        MsgBox "This application cannot be opened directly", vbCritical, "Critical Error"
        Application.Quit
    End If
    
    cmdQuit.SetFocus
End Sub
 
Both. I tested on the example app mentioned in my article
a) with the remote app closed, it triggered the message shown above
b) with the remote app open, it caused an error (but that could be fixed)

I did say that Application.UserControl wasn't foolproof
You've just mentioned one of the ways of circumventing it
However, I also know how to block that 'backdoor' as well

You might enjoy trying to solve this:
www.isladogs.co.uk

Encrypted Split No Strings

This example app shows how an Access database can be made reasonably secure against hackers whilst still allowing full functionality to authorised users.
www.isladogs.co.uk www.isladogs.co.uk
 
Last edited:
You must log in or register to reply here.

Similar threads

bsacheri
Access crashes when switching Form View to Datasheet View
Replies
2
Views
142
MajP
MajP
Cotswold
Solved Error 2046 on open
Replies
4
Views
279
The_Doc_Man
The_Doc_Man
The_Doc_Man
Important Security Guidelines
2
Replies
24
Views
717
The_Doc_Man
The_Doc_Man
A
Solved Access Checkboxes choosing their own alignment
Replies
16
Views
512
Uncle Gizmo
Uncle Gizmo
K
Web Browser control : Opening the link in the same tab
Replies
7
Views
747
theDBguy
theDBguy

Users who are viewing this thread

Total: 1 (members: 0, guests: 1)
Back
Top Bottom