Home > IT Blogs > SQL Server with Mr. Denny > T/SQL Code to remove SQL Injection Values from your tables
>>VIEW ALL POSTS  

SQL Server with Mr. Denny

«
»
Oct 1 2008   11:00AM GMT

T/SQL Code to remove SQL Injection Values from your tables



Posted by: Denny Cherry
SQL Injection, T/SQL

With SQL Injection Attacks being all the rage these days, I’ve been asked a couple of times for T/SQL code to clean up the database.

So I threw this code together to clean up the data. This code will clean all the character and uni-code columns in all the user defined tables in the system. You’ll need to be dbo or sysadmin to run this without error. If you have TEXT or NTEXT columns it will through an error for those columns. Cleaning TEXT and NTEXT columns is a little more complex as you can’t use the REPLACE function on a TEXT or NTEXT datatype.


DECLARE @sql NVARCHAR(4000)
DECLARE @InsertedValue NVARCHAR(1000)
SET @InsertedValue = 'The Script tags which were inserted'
DECLARE cur CURSOR FOR
  	select 'update [' + sysusers.name + '].[' + sysobjects.name + ']
  		set [' + syscolumns.name + '] = replace([' + syscolumns.name + '], ''' + @InsertedValue + ''', '''')'
  	from syscolumns
  	join sysobjects on syscolumns.id = sysobjects.id
  		and sysobjects.xtype = 'U'
  	join sysusers on sysobjects.uid = sysusers.uid
  	where syscolumns.xtype in (35, 98, 99, 167, 175, 231, 239, 241, 231)
  OPEN cur
  FETCH NEXT FROM cur INTO @sql
  WHILE @@FETCH_STATUS = 0
  BEGIN
  	exec (@sql)
  	FETCH NEXT FROM cur INTO @sql
  END
  CLOSE cur
  DEALLOCATE cur

Hopefully you find this useful. If you need code for TEXT or NTEXT columns just post a comment and I’ll throw something together.

This code will work on SQL 2000 and up (it’ll probably work on SQL 7 as well, but I don’t have a SQL 7 machine to test against).

Denny

  Bookmark and Share     Comment     RSS Feed     Email a friend

Comment on this Post

Leave a comment:

Weyes  |   Oct 24, 2008  8:42 AM (GMT)

Hi. It’s a great help for me. And I need code for TEXT or NTEXT colums


 

Jeffmace  |   Mar 2, 2009  6:12 PM (GMT)

I REALLY need help with the ntext fields and sql injection removal of a javascript line entered into THOUSANDS of records. Please try to help as fast as you can.

Thank you!!!!!!!!!!!


 

Gshutch  |   Jun 20, 2012  3:17 PM (GMT)

Two questions:
- can the script above be modified to just skip the text / Ntext fields and process the other types?
- Is there a script that will also fix text / ntext

Thanks!


 

mrdenny  |   Jun 30, 2012  7:04 PM (GMT)

Gshutch,The script above does skip the text and ntext fields.  The data type IDs are used to force it to skip those.  I don’t currently have a script to fix text and ntext fields.  That’s on my list of things to write, but sadly it keeps getting pushed down by other things.Denny


 

testsharif  |   Sep 4, 2012  8:22 AM (GMT)

Hi,
Nice article it helped me a lot, i need code for text and ntext col


 

MinYeKo  |   Jan 8, 2013  10:56 AM (GMT)

You saved my days. Please provide me code for TEXT or NTEXT colums. Thanks