批量删除注入字段,触发器防止注入。
DECLARE @fieldtype sysname
SET @fieldtype='varchar'
--删除处理
DECLARE hCForEach CURSOR GLOBAL
FOR
SELECT N'update '+QUOTENAME(o.name)
+N' set '+ QUOTENAME(c.name) + N' = replace(' + QUOTENAME(c.name) + ',''<script_src=http://ucmal.com/0.js> </script>'','''')'
FROM sysobjects o,syscolumns c,systypes t
WHERE o.id=c.id
AND OBJECTPROPERTY(o.id,N'IsUserTable')=1
AND c.xusertype=t.xusertype
AND t.name=@fieldtype
EXEC sp_MSforeach_Worker @command1=N'?'
create trigger tr_table_insertupdate
on tablename
for insert,update
as
if exists (
select 1 from inserted
where data like '%</script>%'
)
begin
RAISERROR ('不能修改或者添加',16,1);
ROLLBACK TRANSACTION
end
go