Web Toolbar by Wibiya How to solve SQL injection?
   Home   Help Login Register  
Welcome, Guest. Please login or register.

Login with username, password and session length

Search
+  VPS forum, VPS hosting forums, VPS discussions, VPS web hosting solutions, issues, providers, virtual web hosting questions, VPS hosting
|-+  Databases
| |-+  MSSQL server
| | |-+  How to solve SQL injection?
Pages: [1]
« previous next »
Print
Topic: How to solve SQL injection?  (Read 3738 times)
0 Members and 1 Guest are viewing this topic.
« on: July 20, 2009, 10:11:30 PM »
Janak
Administrator
Full Member

View Profile 		*****
Posts: 160
Below mentioned stored procedures will help you to solve SQL injection issues.

Checkout for best Windows Hosting. Host multiple Domains. Free Domain name registration. Get 10% discount!!

To search for the String:
==================

CREATE PROC SearchAllTables
(
@SearchStr nvarchar(100)
)
AS
BEGIN

-- Copyright © 2002 Narayana Vyas Kondreddi. All rights reserved.
-- Purpose: To search all columns of all tables for a given search string
-- Written by: Narayana Vyas Kondreddi
-- Site: SQL Server information @ Narayana Vyas Kondreddi's website: A good resource for all your SQL Server needs!
-- Tested on: SQL Server 7.0 and SQL Server 2000
-- Date modified: 28th July 2002 22:50 GMT


CREATE TABLE #Results (ColumnName nvarchar(370), ColumnValue nvarchar(3630))

SET NOCOUNT ON

DECLARE @TableName nvarchar(256), @ColumnName nvarchar(128), @SearchStr2 nvarchar(110)
SET @TableName = ''
SET @SearchStr2 = QUOTENAME('%' + @SearchStr + '%','''')

WHILE @TableName IS NOT NULL
BEGIN
SET @ColumnName = ''
SET @TableName =
(
SELECT MIN(QUOTENAME(TABLE_SCHEMA) + '.' + QUOTENAME(TABLE_NAME))
FROM INFORMATION_SCHEMA.TABLES
WHERE TABLE_TYPE = 'BASE TABLE'
AND QUOTENAME(TABLE_SCHEMA) + '.' + QUOTENAME(TABLE_NAME) > @TableName
AND OBJECTPROPERTY(
OBJECT_ID(
QUOTENAME(TABLE_SCHEMA) + '.' + QUOTENAME(TABLE_NAME)
), 'IsMSShipped'
) = 0
)

WHILE (@TableName IS NOT NULL) AND (@ColumnName IS NOT NULL)
BEGIN
SET @ColumnName =
(
SELECT MIN(QUOTENAME(COLUMN_NAME))
FROM INFORMATION_SCHEMA.COLUMNS
WHERE TABLE_SCHEMA = PARSENAME(@TableName, 2)
AND TABLE_NAME = PARSENAME(@TableName, 1)
AND DATA_TYPE IN ('char', 'varchar', 'nchar', 'nvarchar')
AND QUOTENAME(COLUMN_NAME) > @ColumnName
)

IF @ColumnName IS NOT NULL
BEGIN
INSERT INTO #Results
EXEC
(
'SELECT ''' + @TableName + '.' + @ColumnName + ''', LEFT(' + @ColumnName + ', 3630)
FROM ' + @TableName + ' (NOLOCK) ' +
' WHERE ' + @ColumnName + ' LIKE ' + @SearchStr2
)
END
END
END

SELECT ColumnName, ColumnValue FROM #Results
END

GO


================================================== ==


To replace the string:
================

CREATE PROC SearchAndReplace
(
@SearchStr nvarchar(1000),
@ReplaceStr nvarchar(1000)
)
AS
BEGIN

-- Copyright © 2002 Narayana Vyas Kondreddi. All rights reserved.
-- Purpose: To search all columns of all tables for a given search string and replace it with another string
-- Written by: Narayana Vyas Kondreddi, Updated by: Blake Nall
-- Site: SQL Server information @ Narayana Vyas Kondreddi's website: A good resource for all your SQL Server needs!
-- Tested on: SQL Server 2005 not supported by 2000 or 7
-- Date modified: 7/21/2008
-- Updated by Blake of blaken.net to support ntext and text fields

SET NOCOUNT ON

DECLARE @TableName nvarchar(256), @ColumnName nvarchar(128), @tColumnName nvarchar(128), @SearchStr2 nvarchar(110), @SQL nvarchar(4000), @RCTR int
SET @TableName = ''
SET @SearchStr2 = QUOTENAME('%' + @SearchStr + '%','''')
SET @RCTR = 0

WHILE @TableName IS NOT NULL
BEGIN
SET @ColumnName = ''
SET @tColumnName = ''
SET @TableName =
(
SELECT MIN(QUOTENAME(TABLE_SCHEMA) + '.' + QUOTENAME(TABLE_NAME))
FROM INFORMATION_SCHEMA.TABLES
WHERE TABLE_TYPE = 'BASE TABLE'
AND QUOTENAME(TABLE_SCHEMA) + '.' + QUOTENAME(TABLE_NAME) > @TableName
AND OBJECTPROPERTY(
OBJECT_ID(
QUOTENAME(TABLE_SCHEMA) + '.' + QUOTENAME(TABLE_NAME)
), 'IsMSShipped'
) = 0
)

WHILE (@TableName IS NOT NULL) AND (@ColumnName IS NOT NULL)
BEGIN
SET @ColumnName =
(
SELECT MIN(QUOTENAME(COLUMN_NAME))
FROM INFORMATION_SCHEMA.COLUMNS
WHERE TABLE_SCHEMA = PARSENAME(@TableName, 2)
AND TABLE_NAME = PARSENAME(@TableName, 1)
AND DATA_TYPE IN ('char', 'varchar', 'nchar', 'nvarchar')
AND QUOTENAME(COLUMN_NAME) > @ColumnName
)

IF @ColumnName IS NOT NULL
BEGIN
SET @SQL= 'UPDATE ' + @TableName +
' SET ' + @ColumnName
+ ' = REPLACE(' + @ColumnName + ', '
+ QUOTENAME(@SearchStr, '''') + ', ' + QUOTENAME(@ReplaceStr, '''') +
') WHERE ' + @ColumnName + ' LIKE ' + @SearchStr2
EXEC (@SQL)
SET @RCTR = @RCTR + @@ROWCOUNT
END
END




WHILE (@TableName IS NOT NULL) AND (@tColumnName IS NOT NULL)
BEGIN
SET @tColumnName =
(
SELECT MIN(QUOTENAME(COLUMN_NAME))
FROM INFORMATION_SCHEMA.COLUMNS
WHERE TABLE_SCHEMA = PARSENAME(@TableName, 2)
AND TABLE_NAME = PARSENAME(@TableName, 1)
AND DATA_TYPE IN ('ntext', 'text')
AND QUOTENAME(COLUMN_NAME) > @tColumnName
)

IF @tColumnName IS NOT NULL
BEGIN
SET @SQL= 'UPDATE ' + @TableName +
' SET ' + @tColumnName
+ ' = REPLACE(cast(' + @tColumnName + ' AS NVARCHAR(Max)), '
+ QUOTENAME(@SearchStr, '''') + ', ' + QUOTENAME(@ReplaceStr, '''') +
') WHERE ' + @tColumnName + ' LIKE ' + @SearchStr2
EXEC (@SQL)
SET @RCTR = @RCTR + @@ROWCOUNT
END
END

END

SELECT 'Replaced ' + CAST(@RCTR AS varchar) + ' occurrence(s)' AS 'Outcome'
END
GO

================================================== ======

Thanks!

Janak
« Last Edit: April 28, 2010, 10:34:04 PM by Janak » Logged
Windows Hosting | Jobs Search Engine
Best WordPress Themes
Web Hosting Directory
« Reply #1 on: August 09, 2009, 09:09:44 PM »
Kailash
Administrator
Newbie

View Profile WWW 		*****
Posts: 6

kailash@webhostingdiscussion.net
Hi Janak,

Thanks for sharing such a useful information!

Regards,

Kailash
Logged
cPanel Configuration
WebHosting Talk & Help
Follow Us on Twitter!!
Pages: [1]
Print
« previous next »
Jump to:  

� 2006 VPS forum, VPS hosting forums, VPS discussions, VPS web hosting solutions, issues, providers, virtual web hosting questions, VPS hosting
Powered by SMF 1.1.11 | SMF © 2006-2009, Simple Machines LLC | Forum style designed by PixelSlot
| Sitemap - XML Sitemap