Hi

My site has been a victim of a SQL injection and JavaScript has been added to all the content in the database.

Is there an easy / quick way to remove the additional lines of code from the database? Stored procedure or something?

What's the best way to protect from a SQL injection?

Thanks for any help

Hi, we have been attacked three times in the last couple of weeks by several Chinese domains.

I have started by restricting the field size (i.e. varchar to under 50) wherever possible to prevent the javascript line being inserted. The script line is about 50 characters, so if you have data that you know will always be less than that you can restrict it.

Next I have been setting up SQL constraints to check for 'script' in the data that is attempting to be inserted - e.g. not [FieldName] like '%script%'

This, I think, will avoid many instances of this kind of attack. I am still feeling my way but this is what I've come up with so far on the server side of things.

The best way to prevent it is probably to use a database interface that allows for prepared statements using bound parameters. If that is not an option, then some escaping mechanism should be used, such as the mysql_real_escape_string function if using the MySQL interface in PHP.

How to clean up the database may require more specifics on which DBMS you are using. If the offending string is the same in all cases, it should be fairly simple to set up an update query along these lines (MySQL):

UPDATE table_name
SET col_name = REPPACE(col_name, '<script>blah blah blah</script>', '')

Thanks for your reply.
I'm using ASP and MS SQL. The string has been added to all TEXT, nvarchar, varchar and char columns in all tables.

Is there a way to create a stored procedure that would check all columns and replace the string?

I just posted a reply to this thread and it's disappeared.

To sum up what I wrote, we have been attacked 3 times in 2 weeks. I've only just heard of this kind of attack, but here is what I'm putting in place to prevent further problems.

1. Restricting field lengths to under 50 characters where possible. The javascript code is about 50 characters, so if it tries to insert it will result in an error.

2. Constraints in the SQL database, like: not [FieldName] like '%script%' which will check data for occurences of 'script' and refuse modification if it is found.

I'm also using ASP and MsSQL.

On the website side of things, you can try to prevent attacks by escaping the apostrophe before it goes into your SELECT statement. This is how, I think, SQL injections happen in that they change your

www.yoursite.com/product.asp?Product=Ipod

to something like

www.yoursite.com/product.asp?Product=Ipod' UPDATE Products SET Product = '<script etc etc' WHERE Product is not null

or something like that anyway.

You need to take your request info from the URL string, bung it in a variable and replace the apostrophe with two of them.

varProduct = Replace(request("Product"),"'","''")

Then reference your variable in your SELECT statement.

PS. This is a very long shot, Paul, but you don't own a yellow Lotus Elan M100 do you? :)