Recently one of my MSSQL database got SQL Injection attacks.
Hacker put some JavaScript code in all row data to get hits on his website (which is apparently blocked, and soon my site will also be got banned if it keep happening for a long time).
Because the database has a huge amount of data, i can’t update table data using ExecuteNonQuery commands as it will result in a great overload on database and network resources.
So I decided to make something logical which is fast and logical way to handle this situation, and at last i ended up with writing a cursor.
This cursor finds a specific string and replaces it with null.
Scenario:
Create a table with sample data
create table tblDataUpdateTest
(
slno int identity(1,1),
cName varchar(50),
cRemarks varchar(50),
)
insert into tblDataUpdateTest (cName, cRemarks) values (’name1′,’some text here BADCODE’)
insert into tblDataUpdateTest (cName, cRemarks) values (’name2′,’raBADCODEhul’)
insert into tblDataUpdateTest (cName, cRemarks) values (’name3′,’dj BADCODEis devil’)
select * from tblDataUpdateTest
Create Cursor to update database table
Declare @@counter int
set @@counter=0
Declare @@slno int
Declare @@cRemarks varchar(100)
Declare tmepTbl cursor
For
Select slno,cRemarks from tblDataUpdateTest
Open tmepTbl /* Opening the cursor */
fetch next from tmepTbl
into @@slno,@@cRemarks
while @@fetch_Status-1
begin
Update tblDataUpdateTest
set cRemarks = Replace(@@cRemarks,’BADCODE’,”)
where slno = @@slno
fetch next from tmepTbl
into @@slno, @@cRemarks
set @@counter=@@counter+1
end
close tmepTbl
Deallocate tmepTbl
Conclusion:
By running this cursor all the occurrences of BADCODE will be eliminated from the specified table.
Note:
I used word BADCODE here but in my actual data it was a java script tag which was creating all the problem.
1 comment:
nice stuff dude, keep posting
Post a Comment