MSSQL 인젝션 스크립트 체크
DECLARE @T varchar(255), @C varchar(255); DECLARE Table_Cursor CURSOR FOR SELECT a.name, b.name FROM sysobjects a, syscolumns b WHERE a.id = b.id AND a.xtype = 'u' AND (b.xtype = 99 OR b.xtype = 35 OR b.xtype = 231 OR b.xtype = 167); OPEN Table_Cursor; FETCH NEXT FROM Table_Cursor INTO @T, @C; WHILE (@@FETCH_STATUS = 0) BEGIN exec ('select ['+@C+'] from ['+@T+'] where ['+@C+'] like ''%'''); -- p..
serverSide/MSSQL
2014. 9. 4. 15:07