T/SQL Code to remove SQL Injection Values from your tables

With SQL Injection Attacks being all the rage these days, I’ve been asked a couple of times for T/SQL code to clean up the database.

So I threw this code together to clean up the data. This code will clean all the character and uni-code columns in all the user defined tables in the system. You’ll need to be dbo or sysadmin to run this without error. If you have TEXT or NTEXT columns it will through an error for those columns. Cleaning TEXT and NTEXT columns is a little more complex as you can’t use the REPLACE function on a TEXT or NTEXT datatype.


DECLARE @sql NVARCHAR(4000)
DECLARE @InsertedValue NVARCHAR(1000)
SET @InsertedValue = 'The Script tags which were inserted'
DECLARE cur CURSOR FOR
  	select 'update [' + sysusers.name + '].[' + sysobjects.name + ']
  		set [' + syscolumns.name + '] = replace([' + syscolumns.name + '], ''' + @InsertedValue + ''', '''')'
  	from syscolumns
  	join sysobjects on syscolumns.id = sysobjects.id
  		and sysobjects.xtype = 'U'
  	join sysusers on sysobjects.uid = sysusers.uid
  	where syscolumns.xtype in (35, 98, 99, 167, 175, 231, 239, 241, 231)
  OPEN cur
  FETCH NEXT FROM cur INTO @sql
  WHILE @@FETCH_STATUS = 0
  BEGIN
  	exec (@sql)
  	FETCH NEXT FROM cur INTO @sql
  END
  CLOSE cur
  DEALLOCATE cur

Hopefully you find this useful. If you need code for TEXT or NTEXT columns just post a comment and I’ll throw something together.

This code will work on SQL 2000 and up (it’ll probably work on SQL 7 as well, but I don’t have a SQL 7 machine to test against).

Denny

Share

9 Responses

  1. I REALLY need help with the ntext fields and sql injection removal of a javascript line entered into THOUSANDS of records. Please try to help as fast as you can.

    Thank you!!!!!!!!!!!

  2. Two questions:
    – can the script above be modified to just skip the text / Ntext fields and process the other types?
    – Is there a script that will also fix text / ntext

    Thanks!

  3. Gshutch,The script above does skip the text and ntext fields.  The data type IDs are used to force it to skip those.  I don’t currently have a script to fix text and ntext fields.  That’s on my list of things to write, but sadly it keeps getting pushed down by other things.Denny

  4. Hi- how exactly does this script work?  How does it know what records contain SQL injection in order to replace/delete them?

    Thank you!
  5. regemail,

    The script generates T-SQL code which updates every value in every column looking for whatever value you pass into the @InsertedValue parameter and simply removes that part of the value.  You’ll need to look at your data to see what the bad value is.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Trust DCAC with your data

Your data systems may be treading water today, but are they prepared for the next phase of your business growth?