Copy codeThe Code is as follows:
Declare @ delStr nvarchar (500)
Set @ delStr = '<script src = http://www.kansm.com/js/common.js> </script>' -- the injected field string
/*************************************** */
************/
Set nocount on
Declare @ tableName nvarchar (100), @ columnName nvarchar (100), @ tbID int, @ iRow int, @ iResult int
Declare @ SQL nvarchar (2000)
Set @ iResult = 0
Declare cur cursor
Select name, id from sysobjects where xtype = 'U'
Open cur
Fetch next from cur into @ tableName, @ tbID
While @ fetch_status = 0
Begin
Declare cur1 cursor
Select name from syscolumns where xtype in (231,167,239,175, 35, 99) and id = @ tbID
Open cur1
Fetch next from cur1 into @ columnName
While @ fetch_status = 0
Begin
Set @ SQL = 'Update ['+ @ tableName +'] set ['+ @ columnName +'] = SUBSTRING (['+ @ columnName +'], '+' 1, PATINDEX (''% '+ @ delStr +' %'', ['+ @ columnName +'])-1) + '+ 'substring ([' + @ columnName + '], PATINDEX (''%' + @ delStr + '%'', [' + @ columnName + ']) + '+ 'len (''' + @ delStr + '''), datalength ([' + @ columnName + ']) where ['+ @ columnName +'] like ''% '+ @ delStr +' % '''
Exec sp_executesql @ SQL
Set @ iRow = @ rowcount
Set @ iResult = @ iResult + @ iRow
If @ iRow> 0
Begin
Print 'table: '+ @ tableName +', column: '+ @ columnName +' updated '+ convert (varchar (10), @ iRow) + 'records ;'
End
Fetch next from cur1 into @ columnName
End
Close cur1
Deallocate cur1
Fetch next from cur into @ tableName, @ tbID
End
Print 'database total '+ convert (varchar (10), @ iResult) +' records updated !!! '
Close cur
Deallocate cur
Set nocount off