{"id":3419,"date":"2016-07-27T03:24:02","date_gmt":"2016-07-27T03:24:02","guid":{"rendered":"https:\/\/kiencang.net\/?p=3419"},"modified":"2016-07-27T03:24:02","modified_gmt":"2016-07-27T03:24:02","slug":"sql-injection-la-gi","status":"publish","type":"post","link":"https:\/\/kiencang.net\/sql-injection-la-gi\/","title":{"rendered":"SQL Injection l\u00e0 g\u00ec?"},"content":{"rendered":"\n<p>SQL Injection c\u00f3 th\u1ec3 ph\u00e1 hu\u1ef7 c\u01a1 s\u1edf d\u1eef li\u1ec7u c\u1ee7a b\u1ea1n.\u00a0<\/p>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_60 counter-hierarchy ez-toc-counter ez-toc-light-blue ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title \" >M\u1ee5c l\u1ee5c<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\" role=\"button\"><label for=\"item-6577d65496db1\" ><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input aria-label=\"Toggle\" aria-label=\"item-6577d65496db1\"  type=\"checkbox\" id=\"item-6577d65496db1\"><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/kiencang.net\/sql-injection-la-gi\/#SQL_trong_cac_trang_web\" title=\"SQL trong c\u00e1c trang web\">SQL trong c\u00e1c trang web<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/kiencang.net\/sql-injection-la-gi\/#SQL_Injection\" title=\"SQL Injection\">SQL Injection<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/kiencang.net\/sql-injection-la-gi\/#SQL_Injection_dua_tren_11_la_luon_luon_dung\" title=\"SQL Injection d\u1ef1a tr\u00ean 1=1 l\u00e0 lu\u00f4n lu\u00f4n \u0111\u00fang\">SQL Injection d\u1ef1a tr\u00ean 1=1 l\u00e0 lu\u00f4n lu\u00f4n \u0111\u00fang<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/kiencang.net\/sql-injection-la-gi\/#SQL_Injection_dua_tren_%E2%80%9C%E2%80%9D%E2%80%9D%E2%80%9D_la_luon_luon_Dung\" title=\"SQL Injection d\u1ef1a tr\u00ean &#8220;&#8221;=&#8221;&#8221; l\u00e0 lu\u00f4n lu\u00f4n \u0110\u00fang\">SQL Injection d\u1ef1a tr\u00ean &#8220;&#8221;=&#8221;&#8221; l\u00e0 lu\u00f4n lu\u00f4n \u0110\u00fang<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/kiencang.net\/sql-injection-la-gi\/#SQL_Injection_dua_tren_cau_lenh_SQL_batched\" title=\"SQL Injection d\u1ef1a tr\u00ean c\u00e2u l\u1ec7nh SQL batched\">SQL Injection d\u1ef1a tr\u00ean c\u00e2u l\u1ec7nh SQL batched<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/kiencang.net\/sql-injection-la-gi\/#Cac_tham_so_cho_bao_ve\" title=\"C\u00e1c tham s\u1ed1 cho b\u1ea3o v\u1ec7\">C\u00e1c tham s\u1ed1 cho b\u1ea3o v\u1ec7<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/kiencang.net\/sql-injection-la-gi\/#Cac_vi_du\" title=\"C\u00e1c v\u00ed d\u1ee5\">C\u00e1c v\u00ed d\u1ee5<\/a><\/li><\/ul><\/nav><\/div>\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"SQL_trong_cac_trang_web\"><\/span>SQL trong c\u00e1c trang web<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Trong c\u00e1c b\u00e0i tr\u01b0\u1edbc, b\u1ea1n \u0111\u00e3 h\u1ecdc c\u00e1ch l\u1ea5y (v\u00e0 c\u1eadp nh\u1eadt) c\u01a1 s\u1edf d\u1eef li\u1ec7u, s\u1eed d\u1ee5ng SQL.<\/p>\n\n\n\n<p>Khi SQL \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng \u0111\u1ec3 hi\u1ec3n th\u1ecb d\u1eef li\u1ec7u tr\u00ean m\u1ed9t trang web, n\u00f3 th\u01b0\u1eddng cho ng\u01b0\u1eddi d\u00f9ng nh\u1eadp gi\u00e1 tr\u1ecb t\u00ecm ki\u1ebfm c\u1ee7a ri\u00eang h\u1ecd.<\/p>\n\n\n\n<p>T\u1eeb khi c\u00e2u l\u1ec7nh SQL ch\u1ec9 l\u00e0 d\u1ea1ng text, n\u00f3 tr\u1edf n\u00ean d\u1ec5 d\u00e0ng h\u01a1n, v\u1edbi v\u00e0i \u0111o\u1ea1n code m\u00e1y t\u00ednh, \u0111\u1ec3 t\u1ef1 \u0111\u1ed9ng thay \u0111\u1ed5i c\u00e2u l\u1ec7nh SQL nh\u1eb1m cung c\u1ea5p cho ng\u01b0\u1eddi d\u00f9ng l\u1ef1a ch\u1ecdn d\u1eef li\u1ec7u:<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">M\u00e3 Server<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>txtUserId = getRequestString(\"UserId\");\ntxtSQL = \"SELECT * FROM Users WHERE UserId = \" + txtUserId;<\/code><\/pre>\n\n\n\n<p>Trong v\u00ed d\u1ee5 tr\u00ean, t\u1ea1o m\u1ed9t c\u00e2u l\u1ec7nh l\u1ef1a ch\u1ecdn b\u1eb1ng c\u00e1ch th\u00eam m\u1ed9t bi\u1ebfn (txtUserId) v\u00e0o chu\u1ed7i l\u1ef1a ch\u1ecdn. C\u00e1c bi\u1ebfn \u0111\u01b0\u1ee3c l\u1ea5y t\u1eeb \u0111\u1ea7u v\u00e0o ng\u01b0\u1eddi s\u1eed d\u1ee5ng (Request) \u0111\u1ebfn trang.<\/p>\n\n\n\n<p>Ph\u1ea7n ti\u1ebfp theo c\u1ee7a b\u00e0i vi\u1ebft n\u00e0y s\u1ebd m\u00f4 t\u1ea3 kh\u1ea3 n\u0103ng nguy hi\u1ec3m c\u1ee7a vi\u1ec7c ng\u01b0\u1eddi d\u00f9ng s\u1eed d\u1ee5ng c\u00e1c c\u00e2u l\u1ec7nh SQL.<\/p>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"SQL_Injection\"><\/span>SQL Injection<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>SQL injection l\u00e0 k\u1ef9 thu\u1eadt c\u1ee7a ng\u01b0\u1eddi d\u00f9ng \u0111\u1ed9c h\u1ea1i ph\u00e1 ho\u1ea1i c\u01a1 s\u1edf d\u1eef li\u1ec7u b\u1eb1ng c\u00e1ch th\u00eam c\u00e1c d\u00f2ng l\u1ec7nh SQL inject v\u00e0o c\u00e2u l\u1ec7nh SQL th\u00f4ng th\u01b0\u1eddng th\u00f4ng qua tr\u01b0\u1eddng nh\u1eadp li\u1ec7u tr\u00ean web.<\/p>\n\n\n\n<p>C\u00e1c d\u00f2ng l\u1ec7nh Inject SQL c\u00f3 th\u1ec3 thay \u0111\u1ed5i c\u00e2u l\u1ec7nh SQL v\u00e0 g\u00e2y nguy hi\u1ec3m cho kh\u1ea3 n\u0103ng b\u1ea3o m\u1eadt c\u1ee7a \u1ee9ng d\u1ee5ng web.<\/p>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"SQL_Injection_dua_tren_11_la_luon_luon_dung\"><\/span>SQL Injection d\u1ef1a tr\u00ean 1=1 l\u00e0 lu\u00f4n lu\u00f4n \u0111\u00fang<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Nh\u00ecn l\u00ean v\u00ed d\u1ee5 tr\u00ean m\u1ed9t l\u1ea7n n\u1eefa.<\/p>\n\n\n\n<p>Ch\u00fang ta bi\u1ebft r\u1eb1ng, m\u1ee5c \u0111\u00edch ban \u0111\u1ea7u c\u1ee7a code l\u00e0 t\u1ea1o ra m\u1ed9t c\u00e2u l\u1ec7nh SQL \u0111\u1ec3 ch\u1ecdn m\u1ed9t ng\u01b0\u1eddi d\u00f9ng v\u1edbi m\u00f4t id ng\u01b0\u1eddi d\u00f9ng cho tr\u01b0\u1edbc.<\/p>\n\n\n\n<p>N\u1ebfu kh\u00f4ng c\u00f3 g\u00ec \u0111\u1ec3 ng\u0103n ch\u1eb7n ng\u01b0\u1eddi d\u00f9ng nh\u1eadp &#8220;sai&#8221;, ng\u01b0\u1eddi d\u00f9ng c\u00f3 th\u1ec3 nh\u1eadp v\u00e0o d\u1eef li\u1ec7u &#8220;th\u00f4ng minh&#8221; nh\u01b0 th\u1ebf n\u00e0y:<\/p>\n\n\n\n<p>UserId:<br><input name=\"UserId\" type=\"text\" value=\"105 or 1=1\"><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">K\u1ebft qu\u1ea3 c\u1ee7a Server<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>SELECT * FROM Users WHERE UserId = 105 or 1=1<\/code><\/pre>\n\n\n\n<p>C\u00e2u l\u1ec7nh SQL tr\u00ean l\u00e0 h\u1ee3p l\u1ec7. N\u00f3 s\u1ebd tr\u1ea3 v\u1ec1 t\u1ea5t c\u1ea3 c\u00e1c h\u00e0ng t\u1eeb b\u1ea3ng Users, v\u00ec <strong>WHERE 1=1<\/strong> l\u00e0 lu\u00f4n lu\u00f4n \u0111\u00fang.<\/p>\n\n\n\n<p>V\u00ed d\u1ee5 tr\u00ean d\u01b0\u1eddng nh\u01b0 nguy hi\u1ec3m ph\u1ea3i kh\u00f4ng? \u0110i\u1ec1u g\u00ec x\u1ea3y ra n\u1ebfu b\u1ea3ng bao g\u1ed3m t\u00ean v\u00e0 m\u1eadt kh\u1ea9u?<\/p>\n\n\n\n<p>C\u00e2u l\u1ec7nh SQL tr\u00ean l\u00e0 t\u01b0\u01a1ng \u0111\u01b0\u01a1ng v\u1edbi:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>SELECT UserId, Name, Password FROM Users WHERE UserId = 105 or 1=1<\/code><\/pre>\n\n\n\n<p>M\u1ed9t hacker th\u00f4ng minh c\u00f3 th\u1ec3 truy c\u1eadp t\u1ea5t c\u1ea3 t\u00ean ng\u01b0\u1eddi d\u00f9ng v\u00e0 m\u1eadt kh\u1ea9u trong c\u01a1 s\u1edf d\u1eef li\u1ec7u \u0111\u01a1n gi\u1ea3n b\u1eb1ng c\u00e1ch ch\u00e8n 105 ho\u1eb7c 1=1 v\u00e0o tr\u01b0\u1eddng nh\u1eadp li\u1ec7u.<\/p>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"SQL_Injection_dua_tren_%E2%80%9C%E2%80%9D%E2%80%9D%E2%80%9D_la_luon_luon_Dung\"><\/span>SQL Injection d\u1ef1a tr\u00ean &#8220;&#8221;=&#8221;&#8221; l\u00e0 lu\u00f4n lu\u00f4n \u0110\u00fang<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>\u0110\u00e2y l\u00e0 m\u1ed9t c\u1ea5u tr\u00fac th\u1ed1ng th\u01b0\u1eddng, \u0111\u01b0\u1ee3c d\u00f9ng \u0111\u1ec3 x\u00e1c minh ng\u01b0\u1eddi d\u00f9ng \u0111\u0103ng nh\u1eadp v\u00e0o m\u1ed9t trang web:<\/p>\n\n\n\n<p>User Name:<br><input name=\"uName\" type=\"text\" value=\"\"><\/p>\n\n\n\n<p>Password:<br><input name=\"uPass\" type=\"text\" value=\"\"><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">M\u00e3 Server<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>uName = getRequestString(\"UserName\");\nuPass = getRequestString(\"UserPass\"); sql = \"SELECT * FROM Users WHERE Name ='\" + uName + \"' AND Pass ='\" + uPass + \"'\"<\/code><\/pre>\n\n\n\n<p>M\u1ed9t hacker th\u00f4ng minh c\u00f3 th\u1ec3 truy c\u1eadp t\u00ean ng\u01b0\u1eddi d\u00f9ng v\u00e0 m\u1eadt kh\u1ea9u trong c\u01a1 s\u1edf d\u1eef li\u1ec7u b\u1eb1ng c\u00e1ch \u0111\u01a1n gi\u1ea3n ch\u00e8n&nbsp;&#8221; or &#8220;&#8221;=&#8221; v\u00e0o \u00f4 t\u00ean ng\u01b0\u1eddi d\u00f9ng ho\u1eb7c m\u1eadt kh\u1ea9u.<\/p>\n\n\n\n<p>\u0110o\u1ea1n code t\u1ea1i server s\u1ebd t\u1ea1o ra m\u1ed9t c\u00e2u l\u1ec7nh SQL h\u1ee3p l\u1ec7 gi\u1ed1ng nh\u01b0 th\u1ebf n\u00e0y:<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">K\u1ebft qu\u1ea3<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>SELECT * FROM Users WHERE Name =\"\" or \"\"=\"\" AND Pass =\"\" or \"\"=\"\"<\/code><\/pre>\n\n\n\n<p>C\u00e2u l\u1ec7nh SQL l\u00e0 h\u1ee3p l\u1ec7. N\u00f3 s\u1ebd tr\u1ea3 v\u1ec1 t\u1ea5t c\u1ea3 c\u00e1c h\u00e0ng t\u1eeb b\u1ea3ng Users, v\u00ec WHERE &#8220;&#8221;=&#8221;&#8221; l\u00e0 lu\u00f4n lu\u00f4n \u0111\u00fang.<\/p>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"SQL_Injection_dua_tren_cau_lenh_SQL_batched\"><\/span>SQL Injection d\u1ef1a tr\u00ean c\u00e2u l\u1ec7nh SQL batched<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>H\u1ea7u h\u1ebft c\u00e1c c\u01a1 s\u1edf d\u1eef li\u1ec7u h\u1ed7 tr\u1ee3 c\u00e2u l\u1ec7nh SQL batched, \u0111\u01b0\u1ee3c c\u00e1ch nhau b\u1eb1ng d\u1ea5u ch\u1ea5m ph\u1ea9y.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">V\u00ed d\u1ee5<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>SELECT * FROM Users; DROP TABLE Suppliers<\/code><\/pre>\n\n\n\n<p>C\u00e2u l\u1ec7nh SQL tr\u00ean s\u1ebd tr\u1ea3 v\u1ec1 t\u1ea5t c\u1ea3 c\u00e1c h\u00e0ng trong b\u1ea3ng Users, v\u00e0 sau \u0111\u00f3 xo\u00e1 b\u1ea3ng c\u00f3 t\u00ean l\u00e0 Suppliers.<\/p>\n\n\n\n<p>N\u1ebfu ch\u00fang ta c\u00f3 \u0111o\u1ea1n m\u00e3 server sau:<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Server Code<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>txtUserId = getRequestString(\"UserId\");\ntxtSQL = \"SELECT * FROM Users WHERE UserId = \" + txtUserId;<\/code><\/pre>\n\n\n\n<p>V\u00e0 nh\u1eadp li\u1ec7u nh\u01b0 sau:<\/p>\n\n\n\n<p>User id:<br><input name=\"UserId\" type=\"text\" value=\"105; DROP TABLE Suppliers\"><\/p>\n\n\n\n<p>\u0110o\u1ea1n code t\u1ea1i server s\u1ebd t\u1ea1o m\u1ed9t l\u1ec7nh SQL h\u1ee3p l\u1ec7 nh\u01b0 sau:<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">K\u1ebft qu\u1ea3<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>SELECT * FROM Users WHERE UserId = 105; DROP TABLE Suppliers<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Cac_tham_so_cho_bao_ve\"><\/span>C\u00e1c tham s\u1ed1 cho b\u1ea3o v\u1ec7<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>M\u1ed9t s\u1ed1 nh\u00e0 ph\u00e1t tri\u1ec3n web s\u1eed d\u1ee5ng m\u1ed9t &#8220;danh s\u00e1ch \u0111en&#8221; c\u00e1c t\u1eeb ho\u1eb7c k\u00fd t\u1ef1 \u0111\u1ec3 t\u00ecm ki\u1ebfm khi nh\u1eadp trong SQL, nh\u1eb1m ng\u0103n c\u1ea3n c\u00e1c thao t\u00e1c t\u1ea5n c\u00f4ng c\u1ee7a SQL injection.<\/p>\n\n\n\n<p>\u0110\u00e2y kh\u00f4ng ph\u1ea3i l\u00e0 \u00fd t\u01b0\u1edfng qu\u00e1 t\u1ed1t. Nhi\u1ec1u t\u1eeb trong s\u1ed1 \u0111\u00f3 (nh\u01b0 delete ho\u1eb7c drop) v\u00e0 c\u00e1c k\u00fd t\u1ef1 (nh\u01b0 d\u1ea5u ch\u1ea5m ph\u1ea9y v\u00e0 d\u1ea5u ngo\u1eb7c k\u00e9p), l\u00e0 ng\u00f4n ng\u1eef th\u01b0\u1eddng d\u00f9ng, v\u00e0 ph\u1ea3i \u0111\u01b0\u1ee3c cho ph\u00e9p trong nhi\u1ec1u ki\u1ec3u nh\u1eadp li\u1ec7u.<\/p>\n\n\n\n<p>(Trong th\u1ef1c t\u1ebf n\u00f3 ph\u1ea3i l\u00e0 ho\u00e0n to\u00e0n h\u1ee3p l\u1ec7 \u0111\u1ec3 nh\u1eadp v\u00e0o m\u1ed9t c\u00e2u l\u1ec7nh SQL trong tr\u01b0\u1eddng c\u01a1 s\u1edf d\u1eef li\u1ec7u.)<\/p>\n\n\n\n<p>C\u00e1ch ch\u1ee9ng minh \u0111\u1ec3 b\u1ea3o v\u1ec7 m\u1ed9t trang web t\u1eeb c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng SQL injection, l\u00e0 s\u1eed d\u1ee5ng c\u00e1c tham s\u1ed1 SQL.<\/p>\n\n\n\n<p>C\u00e1c tham s\u1ed1 SQL l\u00e0 c\u00e1c gi\u00e1 tr\u1ecb \u0111\u01b0\u1ee3c th\u00eam v\u00e0o t\u1eeb c\u00e1c truy v\u1ea5n SQL t\u1ea1i th\u1eddi gian th\u1ef1c hi\u1ec7n, trong m\u1ed9t c\u00e1ch th\u1ee9c c\u00f3 ki\u1ec3m so\u00e1t.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">V\u00ed d\u1ee5 ASP.NET Razor<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>txtUserId = getRequestString(\"UserId\");\ntxtSQL = \"SELECT * FROM Users WHERE UserId = @0\";\ndb.Execute(txtSQL,txtUserId);<\/code><\/pre>\n\n\n\n<p>L\u01b0u \u00fd l\u00e0 tham s\u1ed1 \u0111\u1ea1i di\u1ec7n trong c\u00e2u l\u1ec7nh SQL b\u1edfi k\u00fd t\u1ef1 @.<\/p>\n\n\n\n<p>C\u00e1c c\u00f4ng c\u1ee5 SQL ki\u1ec3m tra t\u1eebng th\u00f4ng s\u1ed1 \u0111\u1ec3 \u0111\u1ea3m b\u1ea3o r\u1eb1ng n\u00f3 l\u00e0 \u0111\u00fang cho c\u1ed9t v\u00e0 \u0111\u01b0\u1ee3c th\u1ef1c thi theo ngh\u0129a \u0111en, v\u00e0 kh\u00f4ng ph\u1ea3i l\u00e0 m\u1ed9t ph\u1ea7n c\u1ee7a SQL \u0111\u01b0\u1ee3c th\u1ef1c thi.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">V\u00ed d\u1ee5 kh\u00e1c<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>txtNam = getRequestString(\"CustomerName\");\ntxtAdd = getRequestString(\"Address\");\ntxtCit = getRequestString(\"City\");\ntxtSQL = \"INSERT INTO Customers (CustomerName,Address,City) Values(@0,@1,@2)\";\ndb.Execute(txtSQL,txtNam,txtAdd,txtCit);<\/code><\/pre>\n\n\n\n<p>B\u1ea1n v\u1eeba \u0111\u01b0\u1ee3c h\u1ecdc \u0111\u1ec3 tr\u00e1nh SQL injection. M\u1ed9t trong nh\u1eefng l\u1ed7 h\u1ed5ng website h\u00e0ng \u0111\u1ea7u.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Cac_vi_du\"><\/span>C\u00e1c v\u00ed d\u1ee5<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>C\u00e1c v\u00ed d\u1ee5 d\u01b0\u1edbi \u0111\u00e2y hi\u1ec3n th\u1ecb c\u00e1ch l\u00e0m th\u1ebf n\u00e0o \u0111\u1ec3 x\u00e2y d\u1ef1ng c\u00e1c truy v\u1ea5n tham s\u1ed1 trong m\u1ed9t s\u1ed1 ng\u00f4n ng\u1eef l\u1eadp tr\u00ecnh web ph\u1ed5 bi\u1ebfn.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>SELECT STATEMENT IN ASP.NET:\ntxtUserId = getRequestString(\"UserId\");\nsql = \"SELECT * FROM Customers WHERE CustomerId = @0\";\ncommand = new SqlCommand(sql);\ncommand.Parameters.AddWithValue(\"@0\",txtUserID);\ncommand.ExecuteReader();<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>INSERT INTO STATEMENT IN ASP.NET:\ntxtNam = getRequestString(\"CustomerName\");\ntxtAdd = getRequestString(\"Address\");\ntxtCit = getRequestString(\"City\");\ntxtSQL = \"INSERT INTO Customers (CustomerName,Address,City) Values(@0,@1,@2)\";\ncommand = new SqlCommand(txtSQL);\ncommand.Parameters.AddWithValue(\"@0\",txtNam);\ncommand.Parameters.AddWithValue(\"@1\",txtAdd);\ncommand.Parameters.AddWithValue(\"@2\",txtCit);\ncommand.ExecuteNonQuery();<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>INSERT INTO STATEMENT IN PHP:\n$stmt = $dbh->prepare(\"INSERT INTO Customers (CustomerName,Address,City)\nVALUES (:nam, :add, :cit)\");\n$stmt->bindParam(':nam', $txtNam);\n$stmt->bindParam(':add', $txtAdd);\n$stmt->bindParam(':cit', $txtCit);\n$stmt->execute();<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>SQL Injection c\u00f3 th\u1ec3 ph\u00e1 hu\u1ef7 c\u01a1 s\u1edf d\u1eef li\u1ec7u c\u1ee7a b\u1ea1n.\u00a0 SQL trong c\u00e1c trang web Trong c\u00e1c b\u00e0i tr\u01b0\u1edbc, b\u1ea1n \u0111\u00e3 h\u1ecdc c\u00e1ch l\u1ea5y (v\u00e0 c\u1eadp nh\u1eadt) c\u01a1 s\u1edf d\u1eef li\u1ec7u, s\u1eed d\u1ee5ng SQL. Khi SQL \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng \u0111\u1ec3 hi\u1ec3n th\u1ecb d\u1eef li\u1ec7u tr\u00ean m\u1ed9t trang web, n\u00f3 th\u01b0\u1eddng cho ng\u01b0\u1eddi d\u00f9ng &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[239],"tags":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v21.6 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>SQL Injection l\u00e0 g\u00ec? &#8226; Ki\u1ebfn c\u00e0ng<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/kiencang.net\/sql-injection-la-gi\/\" \/>\n<meta property=\"og:locale\" content=\"vi_VN\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"SQL Injection l\u00e0 g\u00ec? &#8226; Ki\u1ebfn c\u00e0ng\" \/>\n<meta property=\"og:description\" content=\"SQL Injection c\u00f3 th\u1ec3 ph\u00e1 hu\u1ef7 c\u01a1 s\u1edf d\u1eef li\u1ec7u c\u1ee7a b\u1ea1n.\u00a0 SQL trong c\u00e1c trang web Trong c\u00e1c b\u00e0i tr\u01b0\u1edbc, b\u1ea1n \u0111\u00e3 h\u1ecdc c\u00e1ch l\u1ea5y (v\u00e0 c\u1eadp nh\u1eadt) c\u01a1 s\u1edf d\u1eef li\u1ec7u, s\u1eed d\u1ee5ng SQL. Khi SQL \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng \u0111\u1ec3 hi\u1ec3n th\u1ecb d\u1eef li\u1ec7u tr\u00ean m\u1ed9t trang web, n\u00f3 th\u01b0\u1eddng cho ng\u01b0\u1eddi d\u00f9ng &hellip;\" \/>\n<meta property=\"og:url\" content=\"https:\/\/kiencang.net\/sql-injection-la-gi\/\" \/>\n<meta property=\"og:site_name\" content=\"Ki\u1ebfn c\u00e0ng\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/anhducnguyen87\/\" \/>\n<meta property=\"article:published_time\" content=\"2016-07-27T03:24:02+00:00\" \/>\n<meta name=\"author\" content=\"Nguy\u1ec5n \u0110\u1ee9c Anh\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"\u0110\u01b0\u1ee3c vi\u1ebft b\u1edfi\" \/>\n\t<meta name=\"twitter:data1\" content=\"Nguy\u1ec5n \u0110\u1ee9c Anh\" \/>\n\t<meta name=\"twitter:label2\" content=\"\u01af\u1edbc t\u00ednh th\u1eddi gian \u0111\u1ecdc\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 ph\u00fat\" \/>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"SQL Injection l\u00e0 g\u00ec? &#8226; Ki\u1ebfn c\u00e0ng","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/kiencang.net\/sql-injection-la-gi\/","og_locale":"vi_VN","og_type":"article","og_title":"SQL Injection l\u00e0 g\u00ec? &#8226; Ki\u1ebfn c\u00e0ng","og_description":"SQL Injection c\u00f3 th\u1ec3 ph\u00e1 hu\u1ef7 c\u01a1 s\u1edf d\u1eef li\u1ec7u c\u1ee7a b\u1ea1n.\u00a0 SQL trong c\u00e1c trang web Trong c\u00e1c b\u00e0i tr\u01b0\u1edbc, b\u1ea1n \u0111\u00e3 h\u1ecdc c\u00e1ch l\u1ea5y (v\u00e0 c\u1eadp nh\u1eadt) c\u01a1 s\u1edf d\u1eef li\u1ec7u, s\u1eed d\u1ee5ng SQL. Khi SQL \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng \u0111\u1ec3 hi\u1ec3n th\u1ecb d\u1eef li\u1ec7u tr\u00ean m\u1ed9t trang web, n\u00f3 th\u01b0\u1eddng cho ng\u01b0\u1eddi d\u00f9ng &hellip;","og_url":"https:\/\/kiencang.net\/sql-injection-la-gi\/","og_site_name":"Ki\u1ebfn c\u00e0ng","article_author":"https:\/\/www.facebook.com\/anhducnguyen87\/","article_published_time":"2016-07-27T03:24:02+00:00","author":"Nguy\u1ec5n \u0110\u1ee9c Anh","twitter_card":"summary_large_image","twitter_misc":{"\u0110\u01b0\u1ee3c vi\u1ebft b\u1edfi":"Nguy\u1ec5n \u0110\u1ee9c Anh","\u01af\u1edbc t\u00ednh th\u1eddi gian \u0111\u1ecdc":"5 ph\u00fat"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/kiencang.net\/sql-injection-la-gi\/","url":"https:\/\/kiencang.net\/sql-injection-la-gi\/","name":"SQL Injection l\u00e0 g\u00ec? &#8226; Ki\u1ebfn c\u00e0ng","isPartOf":{"@id":"https:\/\/kiencang.net\/#website"},"datePublished":"2016-07-27T03:24:02+00:00","dateModified":"2016-07-27T03:24:02+00:00","author":{"@id":"https:\/\/kiencang.net\/#\/schema\/person\/5e7e1a04d8d1218ad8c421ba43d25c16"},"breadcrumb":{"@id":"https:\/\/kiencang.net\/sql-injection-la-gi\/#breadcrumb"},"inLanguage":"vi","potentialAction":[{"@type":"ReadAction","target":["https:\/\/kiencang.net\/sql-injection-la-gi\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/kiencang.net\/sql-injection-la-gi\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/kiencang.net\/"},{"@type":"ListItem","position":2,"name":"SQL Injection l\u00e0 g\u00ec?"}]},{"@type":"WebSite","@id":"https:\/\/kiencang.net\/#website","url":"https:\/\/kiencang.net\/","name":"Ki\u1ebfn c\u00e0ng","description":"\u00d4m l\u00fd thuy\u1ebft, h\u00f4n th\u1ef1c h\u00e0nh","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/kiencang.net\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"vi"},{"@type":"Person","@id":"https:\/\/kiencang.net\/#\/schema\/person\/5e7e1a04d8d1218ad8c421ba43d25c16","name":"Nguy\u1ec5n \u0110\u1ee9c Anh","image":{"@type":"ImageObject","inLanguage":"vi","@id":"https:\/\/kiencang.net\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/6d71f9b89393952a8382e30dad26c1ec?s=96&d=monsterid&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/6d71f9b89393952a8382e30dad26c1ec?s=96&d=monsterid&r=g","caption":"Nguy\u1ec5n \u0110\u1ee9c Anh"},"description":"Sinh n\u0103m 1987, t\u1ed1t nghi\u1ec7p Cao \u0111\u1eb3ng th\u1ef1c h\u00e0nh FPT qu\u00e3ng 2014, chuy\u00ean ng\u00e0nh Thi\u1ebft k\u1ebf website. T\u00f4i th\u00edch Content, SEO, Ads, T\u0103ng t\u1ed1c website v\u00e0 Th\u01b0\u01a1ng m\u1ea1i \u0111i\u1ec7n t\u1eed. B\u00ean c\u1ea1nh b\u00e0i t\u1ef1 vi\u1ebft, t\u00f4i c\u0169ng d\u1ecbch nhi\u1ec1u n\u1ed9i dung th\u00fa v\u1ecb c\u1ee7a c\u00e1c t\u00e1c gi\u1ea3 kh\u00e1c nhau. FB c\u00e1 nh\u00e2n: facebook.com\/anhducnguyen87. Email li\u00ean h\u1ec7: guiemailchotoi@gmail.com","sameAs":["https:\/\/www.facebook.com\/anhducnguyen87\/"],"url":"https:\/\/kiencang.net\/author\/admin\/"}]}},"_links":{"self":[{"href":"https:\/\/kiencang.net\/wp-json\/wp\/v2\/posts\/3419"}],"collection":[{"href":"https:\/\/kiencang.net\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kiencang.net\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kiencang.net\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kiencang.net\/wp-json\/wp\/v2\/comments?post=3419"}],"version-history":[{"count":0,"href":"https:\/\/kiencang.net\/wp-json\/wp\/v2\/posts\/3419\/revisions"}],"wp:attachment":[{"href":"https:\/\/kiencang.net\/wp-json\/wp\/v2\/media?parent=3419"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kiencang.net\/wp-json\/wp\/v2\/categories?post=3419"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kiencang.net\/wp-json\/wp\/v2\/tags?post=3419"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}