Difficulty Level:

Star   Star   Star   HalfStar

Click any image to view a larger version



Last Updated 8 Apr 2022

Section Links:        The Challenge        The Problem        Background Info        Flags and Attached Tables        My Tests        My Solution
                              Downloads        Summary        Recommendations        Video        Further Reading



The Challenge:                                                                                                                     Return To Top

This is the fifth in a series of security challenge articles discussing issues related to ways of helping secure Access apps.

In previous security challenges, I have provided example databases and challenged readers to try and break the security.
The level of difficulty varied from simple to highly complex.

However, this security challenge is different.
It is based on a thread posted at Access World Forums by abdullahkhan in May 2020: Hiding Tables Delete Attachment

In this example, I will describe the problem caused by the forum user adding security to certain database tables, together with the solution.
The challenge this time is to explain why the solution works.



The Problem:                                                                                                                       Return To Top

•   Data in attachment fields is ‘lost’ when the table is deep hidden
•   Making tables visible again does not restore the data

Before I provide my solution (as in post #4 of the above thread), some additional explanation would probably be useful



Background Info:                                                                                                                 Return To Top

In Access 2007, three new complex datatypes were added:

1.   Multivalued fields (MVFs)

MVF Table
2.   Attachment fields (a special type of MVF)

Attachment Table
3.   Column History Memo fields

Column History Table

Each of these allowed users to attach multiple items to the same record (the opposite of standard database practice)

The datatypes are complex because the information is actually stored in deep hidden attached tables as normalised data.
There is one attached table (starting f_..) for each complex field and an additional system table (starting MSysComplexTypeVH..) for each column history field. These are highlighted in the screenshot below.

NOTE:
I am NOT recommending that any developer should use these complex datatypes. These have many issues (see the section below).



Flags And Attached Tables                                                                                                 Return To Top

Table info is stored in the Flags field of the READ ONLY system table MSysObjects.
For example:
      •   standard local table: Flags = 0
      •   hidden table: Flags = 8
      •   deep hidden table: Flags = 1
      •   complex table: Flags = 262144
      •   deep hidden attached table: Flags = -2146828288

These values CANNOT be edited directly as the table is READ ONLY. Any changes are done using code.
However, I do NOT intend to explain the code to deep hide tables here as this table property is often used for security

Complex & Attached Tables
By default, very few of these tables will be visible in the navigation pane.
However additonal tables wil be shown if Show Hidden Tables and / or Show System Tables are ticked in Navigation Options

Navigation Options

Default View

Default  View

Show Hidden Objects

Show Hidden

Show System Objects

Show System

Show Hidden & System Objects

Show Hidden & System

The deep hidden tables are NEVER displayed in the navigation pane.
Users have no direct access to the deep hidden attached tables.

However, it is possible to understand how this works using a query on the complex tables. For example, querying the attachment field data:

Attachment Query 1
The query results are identical to the table (shown above)

Attachment Query 2
However if the '+' sign is clicked to expand the query design, 3 fields from the attached table are shown. These can be added to the query:

Attachment Query 3
The query results now show additional records with one attached file per record:

Attachment Query 4

The same process can be done with multivalued field data:

MVF Query 1
The query results are identical to the MVF table (shown above)

MVF Query 2
However if the '+' sign is clicked to expand the query design, the MVF field from the attached table is shown and can be added to the query:

MVF Query 3
The query results now show additional records with one MVF item per record:

MVF Query 4

For column history memo field data, the query doesn't expand to show the attached table fields:

Column History Query 1
The query results are identical to the column history table (shown above).
However right clicking on a column history memo field record gives a Show Column History context menu item.
Click to show a read only popup message listing the column history.

Column History Query 2

It is often easier to view the historical data using a form

ColumnHistoryForm

It is certainly true that both attachment and multivalued fields have proved popular with many new Access users.
This is partly because their use is heavily promoted in the various Access template databases provided by Microsoft.
However, most experienced developers STRONGLY recommend avoiding using each of these.

The column history memo field feature is far less widely used, though it causes far fewer issues

Amongst the main reasons against the use of complex fields are that:
•   It is difficult to manage the data which is held in inaccessible tables
•   The data structure is disguised and running action queries on them is difficult or in some cases not possible
•   Attachment fields significantly bloated the database size and affected performance
•   Tables containing these complex datatypes cannot be upsized to other databases such as SQL Server

The thread at Access World Forums exposed a different issue.

Some developers set tables containing sensitive data to be deep hidden.
As stated above, deep hidden tables cannot be viewed in the navigation pane, even when hidden & system tables are made visible.

Doing this can make such tables more secure against users tampering with their databases for whatever reason.
Deep hiding tables should NOT affect the data stored in them.

However, as the Access World Forums thread described, when tables containing attachment fields were deep hidden, the attachment field data is ‘lost’.
Understandably, the OP was very concerned about their lost data.



My Tests:                                                                                                                             Return To Top

I ran tests on each of the three complex datatypes listed above as well as a standard local table.
The screenshots below show each of these before being deep hidden:

AllForms.png
Firstly, I set the table with an attachment field to be deep hidden and was able to replicate the issue described in the forum thread.
Next I tested a multivalued field and found it was affected in exactly the same way.
Making the tables visible again did NOT restore the data.

However, the column history memo field data was NOT ‘lost’ when its table was deep hidden.

AllForms2.png

My initial response was that this issue provided yet another good reason for avoiding both attachment & multivalue fields.

The tables were now standard tables and no longer listed as complex.

Detached Tables
However, I was able to inspect the deep hidden tables and found the attachment & MVF data still existed.
It appeared that the data had become detached from the deep hidden 'attached tables'.

This was confirmed when I again tried to run the queries including fields from the now 'detached' tables.
These queries now produced a parameter prompt for each of those fields indicating the tables could no longer be found

Attach Query 5

MVF Query 5

This is clearly a bug and will have existed ever since complex datatypes were introduced with Access 2007.
To be fair to Microsoft, it is unlikely that anyone expected developers to deep hide tables containing complex data.



My Solution:                                                                                                                         Return To Top

I then decided to test by adding a column history memo (CHM) field to a table with an attachment field that had previously been deep hidden.

A column history memo field requires the datatype to be Long Text (memo) and the Append Only property set to Yes.

Attach Table + CHM field

When I did so, the ‘lost data’ immediately reappeared! It wasn’t even necessary to populate the CHM field.

Attach Table + CHM field 2
I re-tested by adding a column history memo (CHM) field to a table with ‘lost’ MVF data.

MVF Table + CHM field

Again the lost data was recovered.

MVF Table + CHM field 2

Adding the column history field had effectively re-attached the complex fields to the source data in the attached tables.
However the tables were still listed as standard tables. Something clearly didn’t make sense.

So why does the unexpected fix work? That is my challenge to anyone reading this thread



Downloads:                                                                                                                         Return To Top

An example database has been provided so you can test the above series of events

Both 32-bit & 64-bit versions have been supplied as ACCDE files

Click to download the correct version for your computer:
     Complex Deep Hide Text (32-bit ACCDE)      (zipped)
     Complex Deep Hide Text (64-bit ACCDE)      (zipped)



SUMMARY:                                                                                                                           Return To Top

•   The problem – tables containing attachment or MVF data lose that data if the tables are deep hidden
•   The unexpected fix – add a column history memo field – the data is recovered / retained
•   The challenge (mystery) – explain why the unexpected fix works



RECOMMENDATIONS (in order of preference!):                                                             Return To Top

1.   Don’t use attachment or multivalued fields. Other better methods exist for handling such data
2.   If you really MUST use either of these complex datatypes, do NOT deep hide the tables
3.   If you really, really MUST deep hide those complex tables, make sure you include a column history memo field . . . even if you don’t actually need it!



VIDEO                                                                                                                                   Return To Top

A YouTube video will soon be provided to accompany this article. Details to follow



Further Reading:                                                                                                                 Return To Top

The following articles give additional information relevant to this topic;

Multivalued Fields . . . and why you really shouldn't use them!
Issues With Lookup Fields in Tables
Use Column History to store historical data in long text (memo) fields
Purpose Of System Tables



I hope you will be able to explain this mystery. How does the column history field restore lost data in another field? Or is it just a glitch?

Please provide feedback on this article by sending an email using the feedback form provided below.



Colin Riddington                       Mendip Data Systems                       Last Updated 8 Apr 2022



Return to Security Challenges Page




Return to Top