First, I'll start by stating that I'm an idiot. Yes, I left a couple of holes in my code and I fell prey to a recent SQL Injection attack.
I'm pretty sure I've closed the holes in the code and have use Scrawlr to verify.
However, I'm still stuck trying to clean up the database. In my past experience the following code worked fine but the tag attributes were wrapped in double quotes ("). However this new injection code has the attributes wrapped in single quotes (') which unless doubled-up throws an error in MSSQL.
UPDATE myTABLE SET
Column1 = REPLACE(Column1,'code to replace goes here',''),
Column2 = REPLACE(Column2,'code to replace goes here',''),
Column3 = REPLACE(Column3,'code to replace goes here','')
I have used a script to generate the above code for each table in my DB. When I run it with the doubled-up single quotes the script executes without error but there are no matches since it's actually looking for the offending code with attributes wrapped in single quotes.
Please tell me there is a way to find matches and remove the code.
Here's what I have to write in order to not throw an error in MSSQL:
>losing weight while on peri
Here's what is actually in the db that I need to find and replace:
div style='display:none;'><a href='http:/something-something-something/1/'
losing weight while on peri