he‎ > ‎security‎ > ‎Html-Sql-Injection Detection‎ > ‎

obsolete with EXEC

Please read carefully: http://msdn.microsoft.com/en-us/library/ms188332.aspx
EXECUTE (Transact-SQL) feature will be removed in a future version of Microsoft SQL Server. Avoid using this feature in new development work, and plan to modify applications that currently use this feature.

Set TRANSACTION ISOLATION LEVEL read uncommitted;
If Exists(Select Top 1 object_id From tempdb.sys.tables where name = '##InjWatch')
    Delete From ##injWatch;
Else Create Table ##InjWatch (ctext varchar(max), tab varchar(128), col varchar(128));
GO

Declare CheckHTMLSQLInjection Cursor FAST_FORWARD READ_ONLY For
With inj As (
    Select s.name as s_name, T.name as t_name, c.name as c_name,
        'CAST([' + c.name + '] AS VARCHAR(MAX))' as c_cast,
        '' + s.name + '.[' +T.name + ']' as sT_name
    From sys.tables T
    Inner Join sys.columns c On c.object_id = T.object_id And c.user_type_id In (Select user_type_id
        From sys.types Where name In ('varchar', 'nvarchar', 'ntext', 'text', 'char', 'nchar', 'UserTypeChar'))
    Inner Join sys.schemas s On s.schema_id = T.schema_id
)
Select 'INSERT INTO ##InjWatch(ctext, tab, col) ' +
    'SELECT ' + c_cast + ' AS ctext, ''' + sT_name + ''' AS tab, ''' + c_name + ''' AS col ' +
    'FROM ' + sT_name+ ' WHERE (' + c_cast + ' LIKE ''%<%'' AND ' + c_cast + ' LIKE ''%>%'') ' +
    ' OR ' + c_cast + ' LIKE ''%script:%'''
From inj

Declare @execsql varchar(max)
Open CheckHTMLSQLInjection; Fetch Next From CheckHTMLSQLInjection Into @execsql
While (@@fetch_status = 0)
Begin
    Exec(@execsql);
    Fetch Next From CheckHTMLSQLInjection Into @execsql
End
Close CheckHTMLSQLInjection; Deallocate CheckHTMLSQLInjection

Select Distinct * From ##InjWatch
GO

Comments