The default database engine underlying Microsoft Access is known as the Jet Engine. Traditionally, the Jet Engine has offered security vulnerabilities, which may compromise the security of your computer system. The Jet Engine allows the use of unsafe expressions in Microsoft Access and VBA functions. Unsafe expressions include some Microsoft Access functions and come VBA shell commands, such as KILL and LOAD, which interface with the operating system to manipulate files, directories and other resources. To eliminate this security concern, the Jet Engine, used with Microsoft Access 2003, Jet 4.0, includes a service pack that allows the Jet to evaluate expressions in forms, reports and queries using the "sandbox mode". The sandbox mode, provided with Jet 4.0 Service Pack 8 (SP8), limits Microsoft Access to evaluating only those expressions that are considered "safe". A safe expression does not have properties or perform functions that allow intruders to access and exploit files, drives, devices or other vulnerable resources.
Sandbox mode is not provided as part of Microsoft Access, but is provided as an extension the underlying Jet Engine. By installing the latest update to Windows and thus, the Jet Engine, Microsoft Access can be configured with the option of including sandbox mode. You must configure Microsoft Access to run in sandbox mode. Microsoft Access will not automatically convert to sandbox mode by, simply, installing the service pack update. When the Jet Engine encounters functions that reference or make use of unsafe expressions, your application will be blocked and you will be presented with error messages.
The Jet will evaluate expressions that can be found in a variety of places, to include default values, calculated fields in a query or property sheet, macro action arguments, certain table properties, control sources, SQL statements, custom properties of ActiveX controls and more. The following Microsoft Access functions and properties are blocked by the Jet Engine when called from a Jet query or Microsoft Access property:
| AddAutoCorrect | AddToFavoriates | ADOConnectString | AnswerWizard |
| Application | Assistant | AutoCorrect | BeginUndoable |
| CloseCurrentDatabase | CodeContextObject | CodeDb | COMAddIns |
| CommandBars | CompactRepair | ConvertAccessProject | CreateAccessProject |
| CreateAdditionalData | CreateControl | CreateControlEx | CreateDataAccessPage |
| CreateForm | CreateGroupLevel | CreateNewWorkgroupFile | CreateReport |
| CreateReportControl | CreateReportControlEx | CurrentDb | DataAccessPages |
| DBEngine | DDEExecute | DDEInitiate | DDEPoke |
| DDERequest | DDETerminate | DDETerminateAll | DefaultWebOptions |
| DefaultWorkspaceClone | DelAutoCorrect | DeleteControl | DeleteReportControl |
| DoCmd | Echo | ExportXML | FeatureInstall |
| FileDialog | FileSearch | FollowHyperlink | GetHiddenAttribute |
| ImportXML | InsertText | LanguageSettings | LoadFromText |
| LoadPicture | Modules | NewAccessProject | NewCurrentDatabase |
| NewFileTaskPane | OpenAccessProject | OpenCurrentDatabase | Parent |
| ProductCode | Quit | References | RefreshDatabaseWindow |
| RefreshTitleBar | ReloadAddIns | ReplaceModule | Run |
| RunCommand | SaveAsText | SetDefaultWorkGroupFile | SetHiddenAttribute |
| SetOption | SetUndoRecording | SysCmd | TransformXML |
| VBE | |||
| BoundObjectFrame Object | Object | ||
| Combobox Object | Recordset | ||
| Control Object | Object | ||
| CurrentProject Object | AccessConnection BaseConnectionString CloseConnection Connection OpenConnection | ||
| CustomControl Object | Object | ||
| Form Object | Dynaset Recordset RecordsetClone | ||
| Hyperlink Object | AddToFavorites CreateNewDocument Follow | ||
| Listbox Object | Recordset | ||
| ObjectFrame Object | Object | ||
| Report Object | Recordset | ||
| SmartTagAction | Execute | ||
| Screen Object | ActiveDataAccessPage |
Sandbox mode has no effect on the VBA code or digitally signed code embedded in your database files. Sandbox mode only affects expressions that use or reference unsafe functions. The following VBA functions are considered unsafe and will generate errors when called from an expression in a Jet Query or an Microsoft Access property.
| AppActivate | Beep | Calendar | CallByName | ChDir |
| ChDrive | Command | Command$ | CreateObject | CurDir |
| CurDir$ | DeleteSetting | DoEvents | Environ | Environ$ |
| EOF | Err | FileAttr | FileCopy | FileDateTime |
| FileLen | FreeFile | GetAllSettings | GetAttr | GetObject |
| GetSetting | Input | Input$ | InputB | InputB$ |
| Kill | Load | Loc | LOF | Randomize |
| Reset | SaveSetting | Seek | SendKeys | SetAttr |
| Shell | Spc | Tab | Unload | UserForms |
| Width |
How To Avoid An Access 2003 Sandbox Storm - by Garry Robinson - Editor of vb123.com