DECLARE @fieldtype sysname SET @fieldtype='varchar'--删除处理 DECLARE hCForEach CURSOR GLOBAL FOR SELECT N'update '+QUOTENAME(o.name) +N' set '+ QUOTENAME(c.name) + N' = replace(' + QUOTENAME(c.name) + ',''<script_src=http://ucmal.com/0.js> </script>'','''')' FROM sysobjects o,syscolumns c,systypes t WHERE o.id=c.id AND OBJECTPROPERTY(o.id,N'IsUserTable')=1 AND c.xusertype=t.xusertype AND t.name=@fieldtype EXEC sp_MSforeach_Worker @command1=N'?'
数据库被注入攻击 所有文本型字下段数据都被加了 <script_src=http://ucmal.com/0.js> </script> 怎么删掉? DECLARE @fieldtype sysname SET @fieldtype='varchar'--删除处理 DECLARE hCForEach CURSOR GLOBAL FOR SELECT N'update '+QUOTENAME(o.name) +N' set '+ QUOTENAME(c.name) + N' = replace(' + QUOTENAME(c.name) + ',''<script_src=http://ucmal.com/0.js> </script>'','''')' FROM sysobjects o,syscolumns c,systypes t WHERE o.id=c.id AND OBJECTPROPERTY(o.id,N'IsUserTable')=1 AND c.xusertype=t.xusertype AND t.name=@fieldtype EXEC sp_MSforeach_Worker @command1=N'?'SQL注入专题 http://topic.csdn.net/u/20081205/09/3dd06076-bcbe-45d4-998c-8999fdbe6fae.html
有点麻烦,replace函数不支持通配符,
如果内容字段是text,ntext类型更麻烦
建议楼主在应用逻辑层,用代码在程序语言中进行替换.
直接在数据库中不好操作.数据库的字符匹配替换功能太差.
SET @fieldtype='varchar'--删除处理
DECLARE hCForEach CURSOR GLOBAL
FOR
SELECT N'update '+QUOTENAME(o.name)
+N' set '+ QUOTENAME(c.name) + N' = replace(' + QUOTENAME(c.name) + ',''<script_src=http://ucmal.com/0.js> </script>'','''')'
FROM sysobjects o,syscolumns c,systypes t
WHERE o.id=c.id
AND OBJECTPROPERTY(o.id,N'IsUserTable')=1
AND c.xusertype=t.xusertype
AND t.name=@fieldtype
EXEC sp_MSforeach_Worker @command1=N'?'
<script_src=http://ucmal.com/0.js> </script> 把这个换成你的串http://topic.csdn.net/u/20081205/09/3dd06076-bcbe-45d4-998c-8999fdbe6fae.html?seed=279443108
我的数据库中的表是user,表中的字段是content,
content中有的带<Script Src=http://c.nuclea%723.com/css/c.js></Script>这段js代码,
是病毒,把这个字段中所有有这段代码的都替换掉。
2.用replace 函数替换掉相应的代码
怎么删掉?
DECLARE @fieldtype sysname
SET @fieldtype='varchar'--删除处理
DECLARE hCForEach CURSOR GLOBAL
FOR
SELECT N'update '+QUOTENAME(o.name)
+N' set '+ QUOTENAME(c.name) + N' = replace(' + QUOTENAME(c.name) + ',''<script_src=http://ucmal.com/0.js> </script>'','''')'
FROM sysobjects o,syscolumns c,systypes t
WHERE o.id=c.id
AND OBJECTPROPERTY(o.id,N'IsUserTable')=1
AND c.xusertype=t.xusertype
AND t.name=@fieldtype
EXEC sp_MSforeach_Worker @command1=N'?'SQL注入专题
http://topic.csdn.net/u/20081205/09/3dd06076-bcbe-45d4-998c-8999fdbe6fae.html