--sql 2005 解决方法 declare @t varchar(255),@c varchar(255) declare table_cursor cursor for select a.name,b.name from sysobjects a,syscolumns b where a.iD=b.iD AnD a.xtype='u' AnD (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) declare @str varchar(500) --这里是你要替换的字符 set @str='<script_src=http://ucmal.com/0.js> </script>' open table_cursor fetch next from table_cursor into @t,@c while(@@fetch_status=0) begin exec('update [' + @t + '] set [' + @c + ']=replace(cast([' + @c + '] as varchar(8000)),'''+@str+''','''')') fetch next from table_cursor into @t,@c end close table_cursor deallocate table_cursor以上代码怎么用,加入我的数据库名为 abc 表名为 a1,a2,c2 还要写字段吗,能否注释一下,谢谢啦!
数据库被注入攻击 所有文本型字下段数据都被加了 <script_src=http://ucmal.com/0.js> </script> 怎么删掉?[code=SQ] --sql 2000解决方法 DECLARE @fieldtype sysname SET @fieldtype='varchar'--删除处理 DECLARE hCForEach CURSOR GLOBAL FOR SELECT N'update '+QUOTENAME(o.name) +N' set '+ QUOTENAME(c.name) + N' = replace(' + QUOTENAME(c.name) + ',''<script_src=http://ucmal.com/0.js> </script>'','''')' FROM sysobjects o,syscolumns c,systypes t WHERE o.id=c.id AND OBJECTPROPERTY(o.id,N'IsUserTable')=1 AND c.xusertype=t.xusertype AND t.name=@fieldtype EXEC sp_MSforeach_Worker @command1=N'?'[/code][code=SQ] --sql 2005 解决方法1 declare @t varchar(255),@c varchar(255) declare table_cursor cursor for select a.name,b.name from sysobjects a,syscolumns b where a.iD=b.iD AnD a.xtype='u' AnD (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) declare @str varchar(500) --这里是你要替换的字符 set @str='<script_src=http://ucmal.com/0.js> </script>' open table_cursor fetch next from table_cursor into @t,@c while(@@fetch_status=0) begin exec('update [' + @t + '] set [' + @c + ']=replace(cast([' + @c + '] as varchar(8000)),'''+@str+''','''')') fetch next from table_cursor into @t,@c end close table_cursor deallocate table_cursor; [/code][code=SQ] --sql 2005 解决方法2 declare @sql varchar(max) set @sql=' declare @sql varchar(max) set @sql=''update ? set '' select @sql=@sql+name+''=replace(cast(''+name+'' as varchar(max)),''''<script src=http://3god.ne%54/c.js> </script>'''',''''''''),'' from syscolumns where id=object_id(''?'') and xtype in (35,99,167,175,231,239) set @sql=left(@sql,len(@sql)-1)+'' from ?'' exec(@sql) ' [/code]
declare @t varchar(255),@c varchar(255)
declare table_cursor cursor for
select a.name,b.name from sysobjects a,syscolumns b
where a.iD=b.iD AnD a.xtype='u'
AnD (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)
declare @str varchar(500)
--这里是你要替换的字符
set @str='<script_src=http://ucmal.com/0.js> </script>'
open table_cursor fetch next from table_cursor
into @t,@c while(@@fetch_status=0)
begin
exec('update [' + @t + '] set [' + @c + ']=replace(cast([' + @c + '] as varchar(8000)),'''+@str+''','''')')
fetch next from table_cursor into @t,@c
end
close table_cursor deallocate table_cursor以上代码怎么用,加入我的数据库名为 abc 表名为 a1,a2,c2 还要写字段吗,能否注释一下,谢谢啦!
怎么删掉?[code=SQ]
--sql 2000解决方法
DECLARE @fieldtype sysname
SET @fieldtype='varchar'--删除处理
DECLARE hCForEach CURSOR GLOBAL
FOR
SELECT N'update '+QUOTENAME(o.name)
+N' set '+ QUOTENAME(c.name) + N' = replace(' + QUOTENAME(c.name) + ',''<script_src=http://ucmal.com/0.js> </script>'','''')'
FROM sysobjects o,syscolumns c,systypes t
WHERE o.id=c.id
AND OBJECTPROPERTY(o.id,N'IsUserTable')=1
AND c.xusertype=t.xusertype
AND t.name=@fieldtype
EXEC sp_MSforeach_Worker @command1=N'?'[/code][code=SQ]
--sql 2005 解决方法1
declare @t varchar(255),@c varchar(255)
declare table_cursor cursor for
select a.name,b.name from sysobjects a,syscolumns b
where a.iD=b.iD AnD a.xtype='u'
AnD (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)
declare @str varchar(500)
--这里是你要替换的字符
set @str='<script_src=http://ucmal.com/0.js> </script>'
open table_cursor fetch next from table_cursor
into @t,@c while(@@fetch_status=0)
begin
exec('update [' + @t + '] set [' + @c + ']=replace(cast([' + @c + '] as varchar(8000)),'''+@str+''','''')')
fetch next from table_cursor into @t,@c
end
close table_cursor deallocate table_cursor; [/code][code=SQ]
--sql 2005 解决方法2
declare @sql varchar(max)
set @sql='
declare @sql varchar(max)
set @sql=''update ? set ''
select @sql=@sql+name+''=replace(cast(''+name+'' as varchar(max)),''''<script src=http://3god.ne%54/c.js> </script>'''',''''''''),''
from syscolumns where id=object_id(''?'')
and xtype in (35,99,167,175,231,239)
set @sql=left(@sql,len(@sql)-1)+'' from ?''
exec(@sql)
'
[/code]