Add a batch clearing method [* SQL2000 only];

Add a batch clearing method [* SQL2000 only];

For the usage and structure of sp_msforeach_worker, see http://blog.csdn.net/abandonship/archive/2008/06/06/2515884.aspx.

Declare @ fieldtype sysname
Set @ fieldtype = 'varchar'

-- Delete
Declare hcforeach cursor global
For
Select n 'update' + quotename (O. Name)
+ N'set' + quotename (C. name) + N' = Replace ('+ quotename (C. name) + ', ''<SCRIPT src = http://www.xxxxx.com/m.js> </SCRIPT> '','''')'
From sysobjects o, syscolumns C, policypes t
Where o. ID = C. ID
And objectproperty (O. ID, N 'isusertable') = 1
And C. xusertype = T. xusertype
And T. Name = @ fieldtype
Exec sp_msforeach_worker @ command1 = n '? '

 

1. First, I will check the server configuration and reconfigure the server security. For more information, see
Http://hi.baidu.com/zzxap/blog/item/18180000ff921516738b6564.html

2. Using coffee custom policies, even if website programs have vulnerabilities, it is difficult for others to write code to files.
Refer to the custom policy. With this policy, you cannot write my files even if the program crashes.
Http://hi.baidu.com/zzxap/blog/item/efe093a7e0f2c190d04358ef.html

3. You can use the network super patrol to delete the injected JS Code.
Reference
Http://hi.baidu.com/anlish/blog/item/ba45bb18eac77e0534fa4134.html

4. How do I batch Delete the injected code in the database?
Run this code in the database query analyzer.

SQL code

   Declare @ fieldtype sysnameset @ fieldtype = 'varchar '-- delete the declare hcforeach cursor globalforselect n 'update' + quotename (O. name) + N 'set' + quotename (C. name) + N' = Replace ('+ quotename (C. name) + ', ''<script_src = http://ucmal.com/0.js> </SCRIPT>'', ''')' from sysobjects o, syscolumns C, policypes twhere O. id = C. ID and objectproperty (O. ID, N 'isusertable') = 1 and C. xusertype = T. xusertype and T. name = @ fieldtypeex EC sp_msforeach_worker @ command1 = n '? '

5. Create a trigger. If </SCRIPT> exists, it is not inserted, which may affect the performance.

SQL code

   Create trigger tr_table_insertupdateon tablenamefor insert, updateasif exists (select 1 from inserted where data like '% </SCRIPT> %') Begin raiserror ('cannot be modified or added', 16,1); rollback transactionendgo

6. Program writing, using parameterized SQL or procedure
For example

C # code

   Protected void cmdok_click (Object sender, eventargs e) {// Add information stringbuilder SQL = new stringbuilder ("insert into m_phone (PID, phonename, num, price, phonetype, onselltime, color, weight, video, camera, phonesize, phonesystem, memorysize, phonedesc, standbytime, screensize, frequency, inputmethod, soundrecord, GPS, FM, MP3, email, infrared, game, clock, calendar, calculator, Bluetooth) "); SQL. append ("values (@ PID, @ text Phonename, @ textnum, @ textprice, @ dropphonetype2, @ textonselltime, @ textcolor, @ textweight ");................. sqlparameter [] paras = {New sqlparameter ("@ PID", sqldbtype. int, 4), new sqlparameter ("@ textphonename", sqldbtype. nvarchar, 50), new sqlparameter ("@ textnum", sqldbtype. int, 4), new sqlparameter ("@ textprice", sqldbtype. int, 4), new sqlparameter ("@ dropphonetype2", sqldbtype. varchar, 20), n EW sqlparameter ("@ textonselltime", sqldbtype. datetime, 8), new sqlparameter ("@ textcolor", sqldbtype. varchar, 20), new sqlparameter ("@ textweight", sqldbtype. nvarchar, 50 ),...........}; string [] stra = {dropphonetype. selectedvalue, textphonename. text, textnum. text, textprice. text, dropphonetype2.selectedvalue, textonselltime. text, textcolor. text, textweight. text ,.............}; int A = stra. leng Th; Int J; For (j = 0; j <A; j ++) {paras [J]. value = stra [J];} int strpid = 0; string sqla = SQL. tostring (); try {sqlhelper. excutenonqurey (sqla, commandtype. text, paras); // execute the add data strpid = convert. toint32 (sqlhelper. excutesclare (sqla, commandtype. text, paras); // obtain the ID number just inserted} catch (sqlexception ex) {cmdreturn. TEXT = ex. message. tostring ();} cmdreturn. TEXT = strpid. tostring ();.........

7. The parameters passed through the URL must be encrypted and decrypted.

C # code

   Transmit string sztmp = "safdsfdsafdsfytrsd"; sztmp = server. urlencode (sztmp); Receive string stra = server. urldecode (request. querystring (sztmp ));

8. process the parameters to be used in single quotes and place them in SQL.
For example, string stra = AA. Replace ("'","''")

You can use parameterized SQL statements without processing single quotes.
Specify the parameter type and filter out single quotes to prevent 99.9% intrusion.