[英]Using NT login as part of SQL query run via VBA in Access 2007
In Access 2007, I'm trying to use the NTlogin to retrieve a value from a table via a SQL query (see code below). 在Access 2007中,我试图使用NTlogin通过SQL查询从表中检索值(请参见下面的代码)。 WHen the form loads, I get an error message saying "Compile Error: Expected Function or Variable". 加载表单时,出现错误消息,提示“编译错误:期望的函数或变量”。 Can someone tell me how to fix this error. 有人可以告诉我如何解决此错误。
Private Sub Form_Load()
Dim UserName As String
Dim strSQL As String
Dim strDept As String
UserName = Environ("USERNAME")
strSQL = "SELECT DEPT FROM IDs WHERE NTLOGIN =" & UserName
strDept = DoCmd.RunSQL(strSQL)
cmdSave.Enabled = False
cmdEdit.Enabled = True
cmdPrevious.Enabled = True
cmdNext.Enabled = True
End Sub
I haven't touched Access for some time, so I don't recall: is Environ("USERNAME")
returning the USERNAME
environment variable? 我有一段时间没有触摸Access了,所以我不记得: Environ("USERNAME")
返回USERNAME
环境变量?
If so, then you have a security hole in your code. 如果是这样,那么您的代码中就有一个安全漏洞。 Specifically, you're open to a SQL Injection attack. 具体来说,您很容易受到SQL Injection攻击的影响。
Imagine that before they run Access, a user sets the USERNAME
environment variable to something like 想象一下,在运行Access之前,用户将USERNAME
环境变量设置为类似
''; ''; DROP TABLE IDS; 删除表ID;
In that case, you'll be executing the statement: 在这种情况下,您将执行以下语句:
SELECT DEPT FROM IDs WHERE NTLOGIN =''; 从ID中选择DELETE NTLOGIN =''; DROP TABLE IDS; 删除表ID;
You may not want that to happen... 您可能不希望这种情况发生...
You cannot use RunSQL with a select statement. 您不能将RunSQL与select语句一起使用。 It is only for action queries. 它仅用于操作查询。
If you want a recordset, you can say, amongst other things: 如果您想要一个记录集,则可以说:
strSQL = "SELECT DEPT FROM IDs WHERE NTLOGIN ='" & UserName & "'"
Set rs=CurrentDB.OpenRecordset(strSQL)
Where rs is DAO.Recordset rs是DAO.Recordset
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.