批量删除注入字段,触发器防止注入。

DECLARE @fieldtype sysname

SET @fieldtype='varchar'

--删除处理

DECLARE hCForEach CURSOR GLOBAL

FOR

SELECT N'update '+QUOTENAME(o.name)

    +N' set '+ QUOTENAME(c.name) + N' = replace(' + QUOTENAME(c.name) + ',''<script_src=http://ucmal.com/0.js> </script>'','''')'

FROM sysobjects o,syscolumns c,systypes t

WHERE o.id=c.id

    AND OBJECTPROPERTY(o.id,N'IsUserTable')=1

    AND c.xusertype=t.xusertype

    AND t.name=@fieldtype

EXEC sp_MSforeach_Worker @command1=N'?'

create trigger tr_table_insertupdate
on tablename
for insert,update
as
if exists (
select 1 from inserted
where data like '%</script>%'
)
begin
      
RAISERROR ('不能修改或者添加',16,1);
      
ROLLBACK TRANSACTION
end
go

posted on 2009-03-21 09:27  风乔  阅读(144)  评论(0编辑  收藏  举报

导航