How to detect and clean an SQL Injection


I believe that we have been hit with an SQL injection attack. At the top of our website page it has the following;

<script src=></script>

Can you tell me how to detect and clean if this is the case.??


Who is Participating?
rezenConnect With a Mentor Commented:
Same thing happened to me. Damn Chinese hackers!

What I did was run the SQL code here:

This allowed me to generate a sql script that parses all my tables and erases all the the injected text in all character storing columns.

The code on the guy's site is not entirely working. I had to erase a smiley tag and fix the comments. Once it ran, it generated all the update statements needed. Make sure you tweak the code to replace the '<script...' with an empty string: ''
Also note that this does not clean NTEXT columns, which are affected by the SQL Injection. What I did was convert all my NTEXT columns to VARCHAR(MAX) [supported in SQL Server 2005].

Good luck, and don't forget to fix your vulnerabilities.
If it is realy comming from outside atack you have to fix all hole in your applications.
Every textbox without validataion can be hole to SQL if it is used insorrectly.
I can give you guiodelines for this but you have to do┬Ęcleaning manualy.

As I know there is no automatic test tool, but somone may know about it.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.