sql注入替换
declare @ReplaceSourceStr varchar(100),@ReplaceDescStr varchar(100)
select @ReplaceSourceStr='<script>',@ReplaceDescStr=''
declare my_cursor cursor scroll
for
select case when cols.xtype=35 or cols.xtype=99 then
'update '+tbls.name+' set ' + cols.name + '=replace(cast('+cols.name+' as varchar(8000)),'''+@ReplaceSourceStr+''','''+@ReplaceDescStr+''')'
else
'update '+tbls.name+' set ' + cols.name + '=replace('+cols.name+','''+@ReplaceSourceStr+''','''+@ReplaceDescStr+''')'
end
from
(select * from sysobjects where xtype='u') tbls
inner join
syscolumns cols on cols.id=tbls.id
where cols.xtype in (select xtype from systypes where name in('varchar','nvarchar','ntext','text','char' ))
open my_cursor
declare @fname varchar(2000),@sum int
set @sum=0
fetch next from my_cursor into @fname
while(@@fetch_status=0)
begin
set @sum=@sum+1
exec(@fname)
fetch next from my_cursor into @fname
end
print @sum
close my_cursor
deallocate my_cursor
select @ReplaceSourceStr='<script>',@ReplaceDescStr=''
declare my_cursor cursor scroll
for
select case when cols.xtype=35 or cols.xtype=99 then
'update '+tbls.name+' set ' + cols.name + '=replace(cast('+cols.name+' as varchar(8000)),'''+@ReplaceSourceStr+''','''+@ReplaceDescStr+''')'
else
'update '+tbls.name+' set ' + cols.name + '=replace('+cols.name+','''+@ReplaceSourceStr+''','''+@ReplaceDescStr+''')'
end
from
(select * from sysobjects where xtype='u') tbls
inner join
syscolumns cols on cols.id=tbls.id
where cols.xtype in (select xtype from systypes where name in('varchar','nvarchar','ntext','text','char' ))
open my_cursor
declare @fname varchar(2000),@sum int
set @sum=0
fetch next from my_cursor into @fname
while(@@fetch_status=0)
begin
set @sum=@sum+1
exec(@fname)
fetch next from my_cursor into @fname
end
print @sum
close my_cursor
deallocate my_cursor
浙公网安备 33010602011771号