SQL injection and Access macros (not VBA)

Question

Can Microsoft Access macros (not VBA) be vulnerable to SQL injection?

There are constructs for code flow, temporary variables etc. Is it possible to write a macro that would incorporate user input into an SQL statement, such that the SQL statement would have unintended and undesirable consequences?

The SQL statement could be used in the RunSQL action. Alternatively, the SetProperty action could be used to change the RecordSource or RowSource property.

If yes, how could this be done?

Answer 1

Certainly, though because macros offer very limited capabilities, such cases are mostly academic.

Let's say I'm trying to implement a login system that disallows access to the database, without relying on VBA. I'm creating a form, adding two text boxes for username and password, and I'm making the form modal and removing close buttons to disallow the user to dismiss the form, making my macro the only way to gain access to the database (way insecure in many ways).

The macro:

If DCount("*","tblUsers","UserName = '" & Forms![LoginForm]!Username & "' AND [Password] = '" & Forms![LoginForm]!Password & "'") <> 0
    CloseWindow
        Object type = Form
        Object Name = LoginForm
        Save = Prompt

My injection payload is a classic: enter ' OR 1=1 OR 'A' = ' as a username, blank password, you're in.

However, this example is pretty ridiculous. The string delimiters and concatenation operators be omitted to use form-based parameters, and injection is suddenly impossible.

The RunSQL macro action, however, doesn't support dynamic SQL at all, so isn't vulnerable to SQL injection afaik. You can use form parameters in it, though.

As Zev Spitz pointed out himself in the comments, SetProperty can't modify row or record source so can't be used for SQL injection attacks.