• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 250
  • Last Modified:

SQL injection / cleanup

First, I'll start by stating that I'm an idiot.  Yes, I left a couple of holes in my code and I fell prey to a recent SQL Injection attack.

I'm pretty sure I've closed the holes in the code and have use Scrawlr to verify.

However, I'm still stuck trying to clean up the database.  In my past experience the following code worked fine but the tag attributes were wrapped in double quotes ("). However this new injection code has the attributes wrapped in single quotes (') which unless doubled-up throws an error in MSSQL.

UPDATE myTABLE SET
            Column1 = REPLACE(Column1,'code to replace goes here',''),
            Column2 = REPLACE(Column2,'code to replace goes here',''),
            Column3 = REPLACE(Column3,'code to replace goes here','')

I have used a script to generate the above code for each table in my DB.  When I run it with the doubled-up single quotes the script executes without error but there are no matches since it's actually looking for the offending code with attributes wrapped in single quotes.

Please tell me there is a way to find matches and remove the code.

Here's what I have to write in order to not throw an error in MSSQL:
<script type=''text/javascript'' src=''http://something-something-something.js''></script><div style=''display:none;''><a href=''http:/something/1/''>losing weight while on peri

Here's what is actually in the db that I need to find and replace:
<script type='text/javascript' src='http://something-something-something.js'></script><div style='display:none;'><a href='http:/something-something-something/1/'>losing weight while on peri
0
Addicted2HD
Asked:
Addicted2HD
1 Solution
 
roeibCommented:
try this code :

DELIMITER $$

DROP FUNCTION IF EXISTS `replace_ci`$$
CREATE FUNCTION `replace_ci` ( str TEXT,needle CHAR(255),str_rep CHAR(255))
RETURNS TEXT
DETERMINISTIC
BEGIN
DECLARE
return_str TEXT;
SELECT REPLACE(lower(str),lower(needle),str_rep) INTO return_str;
RETURN return_str;
END$$

DELIMITER ;  

/*
It takes the same parameters that the regular REPLACE function takes, and in the same order ;)
As an example:
SELECT replace_ci("mysql",'M','M'), replace("mysql",'M','M')

*/
0
 
Addicted2HDAuthor Commented:
Thanks for the quick response.  I did however realize after asking the question that the issue of not matching/stripping had to do with a data type of ntext used in the database rather than my syntax.

However, since you responded quickly and as far as I can tell your answer is accurately a response to my question I accept your answer.

Thanks again.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now