tags:

views:

32

answers:

2
+2  Q: 

Update every column in every table

My database has recently been hacked by SQL injection leaving tags throughout data in all columns in all tables in my database. Is there a quick way of running a REPLACE UPDATE on all tables? Something like:

UPDATE [all tables] SET [all columns]=REPLACE([all columns], '<script>....</script>', '')
A: 

One way to do it is by going through metadata. The sys.tables table in your database can give you a list of all your tables:

select *
from sys.tables

Then you can use the sys.columns table to obtain the columns in those tables. And then you would need to generate SQL to make the updates in a loop, for example.

Have a look here for general info on querying the database schema in SQL Server 2005: http://msdn.microsoft.com/en-us/library/ms345522(v=SQL.90).aspx

CesarGon  2010-10-10 11:20:29
@marc_s: you're correct; editing my answer.
CesarGon  2010-10-10 11:24:18
+2  A: 

No, there's nothing directly in SQL Server that would allow you to do this.

However, indirectly - there is a way: you could inspect the system catalog views and enumerate all the columns - also limiting those to just (N)VARCHAR/(N)CHAR columns - and you could have your first T-SQL statement generate a list of UPDATE statement from those system catalog views.

With that list of T-SQL statements, you could then run the actual command to clean up your database - this will touch on all the character-oriented columns in all your tables in your database.

SELECT
    'UPDATE ' + sch.name + '.' + t.name + ' SET ' + c.name + ' = REPLACE("<script>....</script>", "")'
FROM 
    sys.columns c
INNER JOIN 
    sys.tables t ON c.object_id = t.object_id
INNER JOIN 
    sys.schemas sch ON t.schema_id = sch.schema_id  
WHERE   
    t.is_ms_shipped = 0
    AND c.user_type_id IN (167, 175, 231, 239)

This will generate a list of UPDATE statements as result, and you can then take those statements, copy&paste them into a second SSMS window, and run them to update your columns.

UPDATE dbo.T_ServicePSSAAudit SET RunType = REPLACE(RunType, '<script>....</script>', '')
UPDATE dbo.T_PromoStatus SET StatusText = REPLACE(StatusText, '<script>....</script>', '')
UPDATE dbo.T_PromoStatus SET StatusCode = REPLACE(StatusCode, '<script>....</script>', '')
UPDATE dbo.T_DSLSpeed SET CaptionCode = REPLACE(CaptionCode, '<script>....</script>', '')
UPDATE dbo.T_DVPTransfer SET RequestType = REPLACE(RequestType, '<script>....</script>', '')
UPDATE dbo.T_Promo SET Description = REPLACE(Description, '<script>....</script>', '')

You can find all the defined system types in the sys.types catalog view - I just grabbed the user_type_id values for char, nchar, varchar and nvarchar here in this sample.

marc_s  2010-10-10 11:20:31

related questions

Subsonic Vs NHibernate
How to check For File Lock in C# ?
Is nAnt still supported and suitable for .net 3.5/VS2008?
Limit size of Queue<T> in .NET?
Viewstate invalid when using Safari
Free OCR library
Unhandled Exception Handler in .NET 1.1
Localising date format descriptors
Get a new object instance from a Type in C#
VFP .NET OLEdb provider does not work in Win 64-Bits. Help
.NET Testing Framework Advice
Embedded Database for .net that can run off a network
Automatically update version number
Homegrown consumption of web services
How do you migrate a large app from VB6 to VB .net ?
.NET Migrations Engine
Adding Scripting functionality to .NET applications
SQLite and XSD
Floating Point Number parsing: Is there a Catch All algorithm?
How do I programmatically create a PDF in my .NET application?
How do I sync the SVN revision number with my ASP.NET web site?
XSD DataSets and ignoring foreign keys
Anatomy of a "Memory Leak"
Reliable Timer in a Console Application
How do I calculate relative time?