<< 在Visual Studio中使用TODO LIST | 字符串分割的SQL脚本 >>

数据库技术去除SQL Server数据表中的注入脚本的存储过程

2009-09-30 00:02

网站的数据库经常可能由于管理不严密，被注入js脚本到数据表的字段中，下面是一个自己写的清除脚本。

IF  EXISTS (SELECT * FROM sys.objects WHERE object_id = OBJECT_ID(N'[dbo].[RemoveNoise]') AND type in (N'P', N'PC'))
    DROP PROCEDURE dbo.RemoveNoise
GO

CREATE PROCEDURE dbo.RemoveNoise
    @TableName varchar(2000),
    @RemovedString varchar(4000)
AS
BEGIN
    DECLARE @name varchar(2000)

    DECLARE cols CURSOR
    FOR SELECT c.name FROM sys.columns c
    INNER JOIN sys.objects o ON c.OBJECT_ID = o.OBJECT_ID
    WHERE o.NAME = @TableName AND c.user_type_id IN (35,99,167,173,175,231,239)

    OPEN cols

    FETCH NEXT FROM cols INTO @name

    WHILE @@FETCH_STATUS = 0
    BEGIN
        EXECUTE(' UPDATE ' + @TableName + ' SET [' + @name + '] = REPLACE([' + @name + '],''' + @RemovedString + ''', '''')' )
        FETCH NEXT FROM cols INTO @name
    END

    CLOSE cols
    DEALLOCATE cols
END

标签：SQL Server, 去除注入脚本 comment

comment

评论 (0) |

友情链接