删除MSSQL数据库text字段中恶意脚本
declare @delStr nvarchar(500) set @delStr='<script src=http://jiongjia.com/c.js>' --要被替换掉字符 /**********以下为操作实体************/ set nocount on declare @tableName nvarchar(100),@columnName nvarchar(100),@tbID int,@iRow int,@iResult int declare @sql nvarchar(500) set @iResult=0 declare cur cursor for select name,id from sysobjects where xtype='U' open cur fetch next from cur into @tableName,@tbID while @@fetch_status=0 begin declare cur1 cursor for --xtype in (231,167,239,175) 为char,varchar,nchar,nvarchar类型 select name from syscolumns where xtype in (231,167,239,175) and id=@tbID open cur1 fetch next from cur1 into @columnName while @@fetch_status=0 begin set @sql='update [' + @tableName + '] set ['+ @columnName +']= replace(['+@columnName+'],'''+@delStr+''','''') where ['+@columnName+'] like ''%'+@delStr+'%''' exec sp_executesql @sql set @iRow=@@rowcount set @iResult=@iResult+@iRow if @iRow>0 begin print '表:'+@tableName+',列:'+@columnName+'被更新'+convert(varchar(10),@iRow)+'条记录;' end fetch next from cur1 into @columnName end close cur1 deallocate cur1 fetch next from cur into @tableName,@tbID end print '数据库共有'+convert(varchar(10),@iResult)+'条记录被更新!!!' close cur deallocate cur set nocount off /*****以上为操作实体******/
支持text字段
--sql 2000\2005 解决方法 declare @t varchar(255),@c varchar(255) declare table_cursor cursor for select a.name,b.name from sysobjects a,syscolumns b where a.iD=b.iD AnD a.xtype='u' AnD (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) declare @str varchar(500) --这里是你要替换的字符 set @str='<script_src=http://ucmal.com/0.js> </script>' open table_cursor fetch next from table_cursor into @t,@c while(@@fetch_status=0) begin exec('update [' + @t + '] set [' + @c + ']=replace(cast([' + @c + '] as varchar(8000)),'''+@str+''','''')') fetch next from table_cursor into @t,@c end close table_cursor deallocate table_cursor;
浙公网安备 33010602011771号