Comments on: How to Fix a SQL Injection Attack

By: Madhivanan

Madhivanan — Fri, 04 Jun 2010 13:37:40 +0000

Here is derived table approach that can avoid SQL Injection
http://beyondrelational.com/blogs/madhivanan/ar...

By: Brian

Brian — Sat, 11 Apr 2009 21:10:20 +0000

in the previous post, the script got cut out, what I used what the 2nd script and replaced the table name, column name, and injection script I wanted removed. Sometimes simple is better.

By: Brian

Brian — Sat, 11 Apr 2009 21:07:23 +0000

I tried a lot of code to rid my ms sql database of these scripts that were put there from an injection attack. Until now, I had no success, you code saved my DB! Thanks so much. I had a lot of different types of scripts and a lot of table to go through. I ended up using this script:

<|/1/>UPDATE [tableName]
<|/1/>SET columnName = REPLACE(CAST(columnName <|/1/>AS <|/2/>VARCHAR(<| style="color: #cc66cc;">8000)), '"><!--%'

I went table by table and column by column to make sure I got it all. For future reference, how would you rewrite this script so that I can put the table, column, and offending script in as a variable?

By: Laju

Laju — Sun, 05 Oct 2008 11:39:29 +0000

Thank you, it was really useful….

By: SitePoint Blogs » All’s Quiet on the CF Front…

SitePoint Blogs » All’s Quiet on the CF Front… — Thu, 28 Aug 2008 14:03:17 +0000

[...] – has hit version 0.8. SQL Injection attacks still bugging you? Simon Whatley has posted on how to fix an SQL Injection hack, and also how to protect against a malicious attack in the first place (hat tip to Steve Bryant). [...]

By: bigric

bigric — Wed, 27 Aug 2008 06:19:19 +0000

Thank you! That really saved me a lot of time.