{"id":22491,"date":"2025-09-15T10:37:09","date_gmt":"2025-09-15T03:37:09","guid":{"rendered":"https:\/\/interdata.vn\/blog\/?p=22491"},"modified":"2025-09-22T15:26:45","modified_gmt":"2025-09-22T08:26:45","slug":"tan-cong-sql-injection-la-gi","status":"publish","type":"post","link":"https:\/\/interdata.vn\/blog\/tan-cong-sql-injection-la-gi\/","title":{"rendered":"SQL Injection l\u00e0 g\u00ec? M\u1ee5c \u0111\u00edch, H\u1eadu qu\u1ea3 &#038; 11+ C\u00e1ch ng\u0103n ch\u1eb7n"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_85 counter-hierarchy ez-toc-counter ez-toc-white ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">N\u1ed8I DUNG<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 eztoc-toggle-hide-by-default' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/interdata.vn\/blog\/tan-cong-sql-injection-la-gi\/#SQL-Injection-la-gi\" >SQL Injection l\u00e0 g\u00ec?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/interdata.vn\/blog\/tan-cong-sql-injection-la-gi\/#Muc-dich-cua-tan-cong-SQL-Injection\" >M\u1ee5c \u0111\u00edch c\u1ee7a t\u1ea5n c\u00f4ng SQL Injection<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/interdata.vn\/blog\/tan-cong-sql-injection-la-gi\/#SQL-Injection-nguy-hiem-the-nao\" >SQL Injection nguy hi\u1ec3m th\u1ebf n\u00e0o?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/interdata.vn\/blog\/tan-cong-sql-injection-la-gi\/#Muc-tieu-cua-tan-cong-sql-injection\" >M\u1ee5c ti\u00eau c\u1ee7a t\u1ea5n c\u00f4ng sql injection<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/interdata.vn\/blog\/tan-cong-sql-injection-la-gi\/#Vi-du-ve-SQL-Injection\" >V\u00ed d\u1ee5 v\u1ec1 SQL Injection<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/interdata.vn\/blog\/tan-cong-sql-injection-la-gi\/#Cac-loai-SQL-Injection\" >C\u00e1c lo\u1ea1i SQL Injection<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/interdata.vn\/blog\/tan-cong-sql-injection-la-gi\/#In-band-SQLi-Tan-cong-SQLi-tren-cung-kenh\" >In-band SQLi (T\u1ea5n c\u00f4ng SQLi tr\u00ean c\u00f9ng k\u00eanh)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/interdata.vn\/blog\/tan-cong-sql-injection-la-gi\/#Inferential-SQLi-Tan-cong-SQLi-suy-luan\" >Inferential SQLi (T\u1ea5n c\u00f4ng SQLi suy lu\u1eadn)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/interdata.vn\/blog\/tan-cong-sql-injection-la-gi\/#Out-of-band-SQLi-Tan-cong-SQLi-ngoai-kenh\" >Out-of-band SQLi (T\u1ea5n c\u00f4ng SQLi ngo\u00e0i k\u00eanh)<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/interdata.vn\/blog\/tan-cong-sql-injection-la-gi\/#Cac-vu-tan-cong-SQL-Injection-noi-tieng\" >C\u00e1c v\u1ee5 t\u1ea5n c\u00f4ng SQL Injection n\u1ed5i ti\u1ebfng<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/interdata.vn\/blog\/tan-cong-sql-injection-la-gi\/#Cach-nhan-dien-lo-hong-SQL-injection\" >C\u00e1ch nh\u1eadn di\u1ec7n l\u1ed7 h\u1ed5ng SQL injection<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/interdata.vn\/blog\/tan-cong-sql-injection-la-gi\/#Cach-phong-chong-SQL-Injection-hieu-qua\" >C\u00e1ch ph\u00f2ng ch\u1ed1ng SQL Injection hi\u1ec7u qu\u1ea3<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-13\" href=\"https:\/\/interdata.vn\/blog\/tan-cong-sql-injection-la-gi\/#Su-dung-Prepared-Statements-voi-parameterized-queries\" >S\u1eed d\u1ee5ng Prepared Statements v\u1edbi parameterized queries<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-14\" href=\"https:\/\/interdata.vn\/blog\/tan-cong-sql-injection-la-gi\/#Kiem-tra-va-loc-du-lieu-dau-vao\" >Ki\u1ec3m tra v\u00e0 l\u1ecdc d\u1eef li\u1ec7u \u0111\u1ea7u v\u00e0o<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-15\" href=\"https:\/\/interdata.vn\/blog\/tan-cong-sql-injection-la-gi\/#Su-dung-Tuong-lua-Ung-dung-Web-WAF\" >S\u1eed d\u1ee5ng T\u01b0\u1eddng l\u1eeda \u1ee8ng d\u1ee5ng Web (WAF)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-16\" href=\"https:\/\/interdata.vn\/blog\/tan-cong-sql-injection-la-gi\/#Phan-quyen-nguoi-dung-hop-ly\" >Ph\u00e2n quy\u1ec1n ng\u01b0\u1eddi d\u00f9ng h\u1ee3p l\u00fd<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-17\" href=\"https:\/\/interdata.vn\/blog\/tan-cong-sql-injection-la-gi\/#Khong-cong-chuoi-de-tao-SQL\" >Kh\u00f4ng c\u1ed9ng chu\u1ed7i \u0111\u1ec3 t\u1ea1o SQL<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-18\" href=\"https:\/\/interdata.vn\/blog\/tan-cong-sql-injection-la-gi\/#An-thong-tin-loi-va-thong-bao-chi-tiet\" >\u1ea8n th\u00f4ng tin l\u1ed7i v\u00e0 th\u00f4ng b\u00e1o chi ti\u1ebft<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-19\" href=\"https:\/\/interdata.vn\/blog\/tan-cong-sql-injection-la-gi\/#Sao-luu-du-lieu-dinh-ky\" >Sao l\u01b0u d\u1eef li\u1ec7u \u0111\u1ecbnh k\u1ef3<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-20\" href=\"https:\/\/interdata.vn\/blog\/tan-cong-sql-injection-la-gi\/#Han-che-quyen-cho-tai-khoan-ket-noi-database\" >H\u1ea1n ch\u1ebf quy\u1ec1n cho t\u00e0i kho\u1ea3n k\u1ebft n\u1ed1i database<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-21\" href=\"https:\/\/interdata.vn\/blog\/tan-cong-sql-injection-la-gi\/#Su-dung-ORM-Frameworks\" >S\u1eed d\u1ee5ng ORM Frameworks<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-22\" href=\"https:\/\/interdata.vn\/blog\/tan-cong-sql-injection-la-gi\/#Ket-hop-bao-ve-da-lop-voi-RASP\" >K\u1ebft h\u1ee3p b\u1ea3o v\u1ec7 \u0111a l\u1edbp v\u1edbi RASP<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-23\" href=\"https:\/\/interdata.vn\/blog\/tan-cong-sql-injection-la-gi\/#Kiem-thu-bao-mat-dinh-ky\" >Ki\u1ec3m th\u1eed b\u1ea3o m\u1eadt \u0111\u1ecbnh k\u1ef3<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-24\" href=\"https:\/\/interdata.vn\/blog\/tan-cong-sql-injection-la-gi\/#Cac-cau-hoi-thuong-gap-ve-SQL-Injection-FAQs\" >C\u00e1c c\u00e2u h\u1ecfi th\u01b0\u1eddng g\u1eb7p v\u1ec1 SQL Injection (FAQs)<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-25\" href=\"https:\/\/interdata.vn\/blog\/tan-cong-sql-injection-la-gi\/#SQL-Injection-co-nguy-hiem-khong\" >SQL Injection c\u00f3 nguy hi\u1ec3m kh\u00f4ng?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-26\" href=\"https:\/\/interdata.vn\/blog\/tan-cong-sql-injection-la-gi\/#SQL-Injection-co-giong-voi-Cross-Site-Scripting-XSS-khong\" >SQL Injection c\u00f3 gi\u1ed1ng v\u1edbi Cross-Site Scripting (XSS) kh\u00f4ng?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-27\" href=\"https:\/\/interdata.vn\/blog\/tan-cong-sql-injection-la-gi\/#Lam-the-nao-de-hoc-ve-SQL-Injection\" >L\u00e0m th\u1ebf n\u00e0o \u0111\u1ec3 h\u1ecdc v\u1ec1 SQL Injection?<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n<p>B\u1ea1n c\u00f3 bi\u1ebft r\u1eb1ng ch\u1ec9 v\u1edbi m\u1ed9t \u0111o\u1ea1n code nh\u1ecf, hacker c\u00f3 th\u1ec3 chi\u1ebfm quy\u1ec1n \u0111i\u1ec1u khi\u1ec3n to\u00e0n b\u1ed9 c\u01a1 s\u1edf d\u1eef li\u1ec7u website c\u1ee7a b\u1ea1n? \u0110\u00f3 ch\u00ednh l\u00e0 l\u1ed7 h\u1ed5ng SQL Injection (SQLi) \u2013 m\u1ed9t trong nh\u1eefng k\u1ef9 thu\u1eadt t\u1ea5n c\u00f4ng ph\u1ed5 bi\u1ebfn v\u00e0 nguy hi\u1ec3m nh\u1ea5t. Trong b\u00e0i vi\u1ebft n\u00e0y, ch\u00fang ta s\u1ebd c\u00f9ng t\u00ecm hi\u1ec3u kh\u00e1i ni\u1ec7m SQL Injection, c\u00e1c h\u00ecnh th\u1ee9c t\u1ea5n c\u00f4ng th\u01b0\u1eddng g\u1eb7p, v\u00ed d\u1ee5 minh h\u1ecda, m\u1ee9c \u0111\u1ed9 nguy hi\u1ec3m c\u0169ng nh\u01b0 c\u00e1ch ph\u00f2ng ch\u1ed1ng SQL Injection hi\u1ec7u qu\u1ea3 nh\u1ea5t.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"SQL-Injection-la-gi\"><\/span>SQL Injection l\u00e0 g\u00ec?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><strong>T\u1ea5n c\u00f4ng SQL Injection (SQLi)<\/strong> l\u00e0 m\u1ed9t trong nh\u1eefng l\u1ed7 h\u1ed5ng b\u1ea3o m\u1eadt ph\u1ed5 bi\u1ebfn v\u00e0 nguy hi\u1ec3m nh\u1ea5t \u0111\u1ed1i v\u1edbi c\u00e1c \u1ee9ng d\u1ee5ng web, k\u1ebb t\u1ea5n c\u00f4ng l\u1ee3i d\u1ee5ng vi\u1ec7c \u1ee9ng d\u1ee5ng kh\u00f4ng ki\u1ec3m tra ho\u1eb7c l\u1ecdc d\u1eef li\u1ec7u \u0111\u1ea7u v\u00e0o m\u1ed9t c\u00e1ch ch\u1eb7t ch\u1ebd, t\u1eeb \u0111\u00f3 <strong>ch\u00e8n c\u00e1c k\u00fd t\u1ef1 \u0111\u1eb7c bi\u1ec7t ho\u1eb7c c\u00e2u l\u1ec7nh SQL v\u00e0o c\u00e1c bi\u1ec3u m\u1eabu<\/strong>, <strong>\u00f4 t\u00ecm ki\u1ebfm ho\u1eb7c URL<\/strong>. Khi \u1ee9ng d\u1ee5ng x\u1eed l\u00fd d\u1eef li\u1ec7u n\u00e0y, n\u00f3 s\u1ebd th\u1ef1c thi c\u00e2u l\u1ec7nh SQL \u0111\u1ed9c h\u1ea1i, cho ph\u00e9p k\u1ebb t\u1ea5n c\u00f4ng th\u1ef1c hi\u1ec7n c\u00e1c h\u00e0nh vi tr\u00e1i ph\u00e9p tr\u00ean c\u01a1 s\u1edf d\u1eef li\u1ec7u.<\/p>\n<figure id=\"attachment_32519\" aria-describedby=\"caption-attachment-32519\" style=\"width: 800px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-32519\" src=\"https:\/\/interdata.vn\/blog\/wp-content\/uploads\/2025\/08\/Tan-cong-SQL-Injection-la-gi.jpg\" alt=\"T\u1ea5n c\u00f4ng SQL Injection l\u00e0 g\u00ec?\" width=\"800\" height=\"450\" title=\"\" srcset=\"https:\/\/interdata.vn\/blog\/wp-content\/uploads\/2025\/08\/Tan-cong-SQL-Injection-la-gi.jpg 800w, https:\/\/interdata.vn\/blog\/wp-content\/uploads\/2025\/08\/Tan-cong-SQL-Injection-la-gi-300x169.jpg 300w, https:\/\/interdata.vn\/blog\/wp-content\/uploads\/2025\/08\/Tan-cong-SQL-Injection-la-gi-768x432.jpg 768w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><figcaption id=\"caption-attachment-32519\" class=\"wp-caption-text\">T\u1ea5n c\u00f4ng SQL Injection l\u00e0 g\u00ec?<\/figcaption><\/figure>\n<p>V\u00ed d\u1ee5, m\u1ed9t trang \u0111\u0103ng nh\u1eadp y\u00eau c\u1ea7u ng\u01b0\u1eddi d\u00f9ng nh\u1eadp t\u00ean t\u00e0i kho\u1ea3n v\u00e0 m\u1eadt kh\u1ea9u. N\u1ebfu \u1ee9ng d\u1ee5ng kh\u00f4ng x\u1eed l\u00fd d\u1eef li\u1ec7u \u0111\u1ea7u v\u00e0o \u0111\u00fang c\u00e1ch, k\u1ebb t\u1ea5n c\u00f4ng c\u00f3 th\u1ec3 nh\u1eadp m\u1ed9t chu\u1ed7i nh\u01b0 &#8216; OR &#8216;1&#8217;=&#8217;1 v\u00e0o tr\u01b0\u1eddng m\u1eadt kh\u1ea9u. Khi \u0111\u00f3, c\u00e2u l\u1ec7nh SQL ban \u0111\u1ea7u s\u1ebd b\u1ecb thay \u0111\u1ed5i, cho ph\u00e9p k\u1ebb t\u1ea5n c\u00f4ng \u0111\u0103ng nh\u1eadp th\u00e0nh c\u00f4ng m\u00e0 kh\u00f4ng c\u1ea7n bi\u1ebft m\u1eadt kh\u1ea9u th\u1eadt.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Muc-dich-cua-tan-cong-SQL-Injection\"><\/span>M\u1ee5c \u0111\u00edch c\u1ee7a t\u1ea5n c\u00f4ng SQL Injection<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>K\u1ebb t\u1ea5n c\u00f4ng kh\u00f4ng ch\u1ec9 \u0111\u01a1n thu\u1ea7n mu\u1ed1n truy c\u1eadp tr\u00e1i ph\u00e9p m\u00e0 c\u00f2n c\u00f3 nhi\u1ec1u m\u1ee5c \u0111\u00edch kh\u00e1c, t\u00f9y thu\u1ed9c v\u00e0o k\u1ef9 n\u0103ng v\u00e0 \u0111\u1ed9ng c\u01a1 c\u1ee7a h\u1ecd. C\u00e1c m\u1ee5c ti\u00eau ph\u1ed5 bi\u1ebfn bao g\u1ed3m:<\/p>\n<ul>\n<li><strong>Truy c\u1eadp v\u00e0 \u0111\u00e1nh c\u1eafp d\u1eef li\u1ec7u:<\/strong> \u0110\u00e2y l\u00e0 m\u1ee5c \u0111\u00edch ph\u1ed5 bi\u1ebfn nh\u1ea5t. K\u1ebb t\u1ea5n c\u00f4ng s\u1ebd l\u1ea5y c\u1eafp c\u00e1c th\u00f4ng tin nh\u1ea1y c\u1ea3m nh\u01b0 d\u1eef li\u1ec7u kh\u00e1ch h\u00e0ng, s\u1ed1 th\u1ebb t\u00edn d\u1ee5ng, th\u00f4ng tin c\u00e1 nh\u00e2n&#8230;<\/li>\n<li><strong>Thao t\u00fang d\u1eef li\u1ec7u:<\/strong> X\u00f3a, s\u1eeda \u0111\u1ed5i ho\u1eb7c th\u00eam d\u1eef li\u1ec7u v\u00e0o c\u01a1 s\u1edf d\u1eef li\u1ec7u \u0111\u1ec3 g\u00e2y r\u1ed1i, ph\u00e1 ho\u1ea1i ho\u1eb7c t\u1ea1o ra c\u00e1c t\u00e0i kho\u1ea3n gi\u1ea3 m\u1ea1o.<\/li>\n<li><strong>Chi\u1ebfm quy\u1ec1n \u0111i\u1ec1u khi\u1ec3n h\u1ec7 th\u1ed1ng:<\/strong> Trong nh\u1eefng tr\u01b0\u1eddng h\u1ee3p nghi\u00eam tr\u1ecdng, k\u1ebb t\u1ea5n c\u00f4ng c\u00f3 th\u1ec3 chi\u1ebfm quy\u1ec1n \u0111i\u1ec1u khi\u1ec3n server ch\u1ee9a c\u01a1 s\u1edf d\u1eef li\u1ec7u, t\u1eeb \u0111\u00f3 c\u00f3 th\u1ec3 c\u00e0i \u0111\u1eb7t m\u00e3 \u0111\u1ed9c ho\u1eb7c th\u1ef1c hi\u1ec7n c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng kh\u00e1c.<\/li>\n<li><strong>Th\u1ef1c hi\u1ec7n c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng t\u1eeb ch\u1ed1i d\u1ecbch v\u1ee5 (DoS):<\/strong> G\u00e2y ra c\u00e1c l\u1ed7i tr\u00ean c\u01a1 s\u1edf d\u1eef li\u1ec7u, l\u00e0m cho website ng\u1eebng ho\u1ea1t \u0111\u1ed9ng, \u1ea3nh h\u01b0\u1edfng \u0111\u1ebfn tr\u1ea3i nghi\u1ec7m c\u1ee7a ng\u01b0\u1eddi d\u00f9ng.<\/li>\n<\/ul>\n<h2><span class=\"ez-toc-section\" id=\"SQL-Injection-nguy-hiem-the-nao\"><\/span>SQL Injection nguy hi\u1ec3m th\u1ebf n\u00e0o?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>M\u1ed9t cu\u1ed9c t\u1ea5n c\u00f4ng SQL Injection th\u00e0nh c\u00f4ng c\u00f3 th\u1ec3 g\u00e2y ra nh\u1eefng h\u1eadu qu\u1ea3 nghi\u00eam tr\u1ecdng v\u00e0 k\u00e9o d\u00e0i, SQL Injection lu\u00f4n n\u1eb1m trong top 10 l\u1ed7 h\u1ed5ng b\u1ea3o m\u1eadt web nguy hi\u1ec3m nh\u1ea5t.<\/p>\n<p>C\u00e1c t\u00e1c h\u1ea1i c\u00f3 th\u1ec3 k\u1ec3 \u0111\u1ebfn:<\/p>\n<ul>\n<li><strong>R\u00f2 r\u1ec9 d\u1eef li\u1ec7u:<\/strong> \u0110\u00e2y l\u00e0 h\u1eadu qu\u1ea3 r\u00f5 r\u00e0ng nh\u1ea5t, g\u00e2y thi\u1ec7t h\u1ea1i tr\u1ef1c ti\u1ebfp v\u1ec1 m\u1eb7t t\u00e0i ch\u00ednh v\u00e0 uy t\u00edn. Theo th\u1ed1ng k\u00ea t\u1eeb c\u00e1c t\u1ed5 ch\u1ee9c b\u1ea3o m\u1eadt, chi ph\u00ed trung b\u00ecnh cho m\u1ed9t v\u1ee5 r\u00f2 r\u1ec9 d\u1eef li\u1ec7u c\u00f3 th\u1ec3 l\u00ean t\u1edbi h\u00e0ng tri\u1ec7u \u0111\u00f4 la.<\/li>\n<li><strong>Thi\u1ec7t h\u1ea1i v\u1ec1 t\u00e0i ch\u00ednh v\u00e0 uy t\u00edn:<\/strong> Doanh nghi\u1ec7p c\u00f3 th\u1ec3 m\u1ea5t kh\u00e1ch h\u00e0ng, b\u1ecb ph\u1ea1t v\u00ec vi ph\u1ea1m quy \u0111\u1ecbnh b\u1ea3o v\u1ec7 d\u1eef li\u1ec7u (nh\u01b0 GDPR) v\u00e0 ph\u1ea3i chi tr\u1ea3 chi ph\u00ed kh\u00f4i ph\u1ee5c h\u1ec7 th\u1ed1ng. Uy t\u00edn th\u01b0\u01a1ng hi\u1ec7u b\u1ecb \u1ea3nh h\u01b0\u1edfng nghi\u00eam tr\u1ecdng.<\/li>\n<li><strong>M\u1ea5t quy\u1ec1n ki\u1ec3m so\u00e1t h\u1ec7 th\u1ed1ng:<\/strong> K\u1ebb t\u1ea5n c\u00f4ng c\u00f3 th\u1ec3 gi\u00e0nh quy\u1ec1n ki\u1ec3m so\u00e1t server, c\u00e0i \u0111\u1eb7t ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i, bi\u1ebfn website th\u00e0nh m\u1ed9t ph\u1ea7n c\u1ee7a botnet \u0111\u1ec3 th\u1ef1c hi\u1ec7n c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng kh\u00e1c.<\/li>\n<li><strong>Thay \u0111\u1ed5i ho\u1eb7c x\u00f3a d\u1eef li\u1ec7u<\/strong>: Hacker c\u00f3 th\u1ec3 s\u1eeda \u0111\u1ed5i, x\u00f3a ho\u1eb7c ph\u00e1 h\u1ee7y d\u1eef li\u1ec7u quan tr\u1ecdng, g\u00e2y m\u1ea5t m\u00e1t ho\u1eb7c sai l\u1ec7ch th\u00f4ng tin h\u1ec7 th\u1ed1ng.<\/li>\n<li><strong>M\u1ea5t t\u00ednh to\u00e0n v\u1eb9n v\u00e0 b\u1ea3o m\u1eadt d\u1eef li\u1ec7u<\/strong>: D\u1eef li\u1ec7u c\u00f3 th\u1ec3 b\u1ecb thay \u0111\u1ed5i m\u00e0 kh\u00f4ng \u0111\u01b0\u1ee3c ph\u00e9p, l\u00e0m gi\u1ea3m \u0111\u1ed9 tin c\u1eady v\u00e0 an to\u00e0n c\u1ee7a h\u1ec7 th\u1ed1ng.<\/li>\n<li><strong>Th\u1ef1c thi l\u1ec7nh nguy hi\u1ec3m tr\u00ean m\u00e1y ch\u1ee7<\/strong>: K\u1ebb t\u1ea5n c\u00f4ng c\u00f3 th\u1ec3 s\u1eed d\u1ee5ng SQL Injection \u0111\u1ec3 ch\u1ea1y c\u00e1c c\u00e2u l\u1ec7nh h\u1ec7 th\u1ed1ng, t\u1eeb \u0111\u00f3 ki\u1ec3m so\u00e1t m\u00e1y ch\u1ee7, c\u00e0i \u0111\u1eb7t m\u00e3 \u0111\u1ed9c, t\u1ea1o t\u00e0i kho\u1ea3n tr\u00e1i ph\u00e9p, hay k\u00edch ho\u1ea1t c\u00e1c d\u1ecbch v\u1ee5 t\u1eeb xa nh\u01b0 Remote Desktop.<\/li>\n<li><strong>T\u1ea5n c\u00f4ng t\u1eeb ch\u1ed1i d\u1ecbch v\u1ee5 (DoS)<\/strong>: G\u1eedi c\u00e1c truy v\u1ea5n \u0111\u1ed9c h\u1ea1i l\u00e0m qu\u00e1 t\u1ea3i h\u1ec7 th\u1ed1ng, khi\u1ebfn server ho\u1eb7c \u1ee9ng d\u1ee5ng b\u1ecb ch\u1eadm ho\u1eb7c ng\u1eebng ho\u1ea1t \u0111\u1ed9ng. (C\u00f3 th\u1ec3 g\u00e2y ra DoS trong m\u1ed9t s\u1ed1 tr\u01b0\u1eddng h\u1ee3p, nh\u01b0ng kh\u00f4ng ph\u1ea3i l\u00e0 m\u1ee5c ti\u00eau ph\u1ed5 bi\u1ebfn)<\/li>\n<li><strong>L\u00e2y nhi\u1ec5m m\u00e3 \u0111\u1ed9c<\/strong>: SQL Injection c\u00f3 th\u1ec3 tr\u1edf th\u00e0nh c\u00e1ch \u0111\u1ec3 hacker ch\u00e8n m\u00e3 \u0111\u1ed9c v\u00e0o h\u1ec7 th\u1ed1ng, t\u1eeb \u0111\u00f3 l\u00e2y lan \u0111\u1ebfn c\u00e1c m\u00e1y ch\u1ee7 kh\u00e1c ho\u1eb7c ng\u01b0\u1eddi d\u00f9ng cu\u1ed1i.<\/li>\n<li><strong>M\u1ea5t m\u00e1t t\u00e0i ch\u00ednh v\u00e0 uy t\u00edn<\/strong>: N\u1ebfu d\u1eef li\u1ec7u t\u00e0i ch\u00ednh b\u1ecb t\u1ea5n c\u00f4ng, t\u1ed5 ch\u1ee9c c\u00f3 th\u1ec3 ch\u1ecbu thi\u1ec7t h\u1ea1i n\u1eb7ng n\u1ec1 v\u1ec1 ti\u1ec1n b\u1ea1c, \u0111\u1ed3ng th\u1eddi m\u1ea5t uy t\u00edn v\u1edbi kh\u00e1ch h\u00e0ng v\u00e0 \u0111\u1ed1i t\u00e1c.<\/li>\n<li><strong>H\u1eadu qu\u1ea3 ph\u00e1p l\u00fd<\/strong>: C\u00e1c t\u1ed5 ch\u1ee9c c\u00f3 th\u1ec3 b\u1ecb x\u1eed ph\u1ea1t n\u1ebfu vi ph\u1ea1m quy \u0111\u1ecbnh v\u1ec1 b\u1ea3o v\u1ec7 d\u1eef li\u1ec7u do s\u1ef1 c\u1ed1 an ninh n\u00e0y.<\/li>\n<\/ul>\n<p>D\u00f9ng k\u1ef9 thu\u1eadt t\u1ea5n c\u00f4ng sql injection kh\u00f4ng ch\u1ec9 l\u00e0m m\u1ea5t d\u1eef li\u1ec7u m\u00e0 c\u00f2n c\u00f3 th\u1ec3 khi\u1ebfn h\u1ec7 th\u1ed1ng b\u1ecb chi\u1ebfm quy\u1ec1n ki\u1ec3m so\u00e1t ho\u00e0n to\u00e0n, g\u00e2y gi\u00e1n \u0111o\u1ea1n d\u1ecbch v\u1ee5 v\u00e0 t\u1ed5n th\u1ea5t nghi\u00eam tr\u1ecdng v\u1ec1 nhi\u1ec1u m\u1eb7t.<\/p>\n<figure id=\"attachment_32520\" aria-describedby=\"caption-attachment-32520\" style=\"width: 800px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-32520\" src=\"https:\/\/interdata.vn\/blog\/wp-content\/uploads\/2025\/08\/Hau-qua-cua-cac-cuoc-tan-cong-SQL-Injection.jpg\" alt=\"H\u1eadu qu\u1ea3 c\u1ee7a c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng SQL Injection\" width=\"800\" height=\"500\" title=\"\" srcset=\"https:\/\/interdata.vn\/blog\/wp-content\/uploads\/2025\/08\/Hau-qua-cua-cac-cuoc-tan-cong-SQL-Injection.jpg 800w, https:\/\/interdata.vn\/blog\/wp-content\/uploads\/2025\/08\/Hau-qua-cua-cac-cuoc-tan-cong-SQL-Injection-300x188.jpg 300w, https:\/\/interdata.vn\/blog\/wp-content\/uploads\/2025\/08\/Hau-qua-cua-cac-cuoc-tan-cong-SQL-Injection-768x480.jpg 768w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><figcaption id=\"caption-attachment-32520\" class=\"wp-caption-text\">H\u1eadu qu\u1ea3 c\u1ee7a c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng SQL Injection<\/figcaption><\/figure>\n<h2><span class=\"ez-toc-section\" id=\"Muc-tieu-cua-tan-cong-sql-injection\"><\/span>M\u1ee5c ti\u00eau c\u1ee7a t\u1ea5n c\u00f4ng sql injection<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>T\u1ea5n c\u00f4ng sql injection th\u01b0\u1eddng nh\u1eafm v\u00e0o m\u1ee5c ti\u00eau n\u00e0o? T\u1ea5n c\u00f4ng SQL Injection th\u01b0\u1eddng nh\u1eafm v\u00e0o c\u00e1c m\u1ee5c ti\u00eau l\u00e0 c\u00e1c \u1ee9ng d\u1ee5ng web c\u00f3 s\u1eed d\u1ee5ng c\u01a1 s\u1edf d\u1eef li\u1ec7u \u0111\u1ec3 l\u01b0u tr\u1eef th\u00f4ng tin. C\u00e1c m\u1ee5c ti\u00eau c\u1ee5 th\u1ec3 ph\u1ed5 bi\u1ebfn bao g\u1ed3m:<\/p>\n<ul>\n<li>C\u00e1c trang web s\u1eed d\u1ee5ng c\u01a1 s\u1edf d\u1eef li\u1ec7u nh\u01b0 h\u1ec7 th\u1ed1ng \u0111\u0103ng nh\u1eadp ng\u01b0\u1eddi d\u00f9ng, c\u1eeda h\u00e0ng tr\u1ef1c tuy\u1ebfn, di\u1ec5n \u0111\u00e0n, trang qu\u1ea3n l\u00fd d\u1eef li\u1ec7u kh\u00e1ch h\u00e0ng, n\u01a1i c\u00f3 c\u00e1c form nh\u1eadp d\u1eef li\u1ec7u ho\u1eb7c tham s\u1ed1 URL ch\u01b0a \u0111\u01b0\u1ee3c ki\u1ec3m tra k\u1ef9.<\/li>\n<li>C\u00e1c h\u1ec7 th\u1ed1ng ch\u1ee9a d\u1eef li\u1ec7u quan tr\u1ecdng nh\u01b0 th\u00f4ng tin t\u00e0i kho\u1ea3n, m\u1eadt kh\u1ea9u ng\u01b0\u1eddi d\u00f9ng, th\u00f4ng tin t\u00e0i ch\u00ednh, th\u00f4ng tin c\u00e1 nh\u00e2n ho\u1eb7c d\u1eef li\u1ec7u nh\u1ea1y c\u1ea3m kh\u00e1c m\u00e0 k\u1ebb t\u1ea5n c\u00f4ng mu\u1ed1n \u0111\u00e1nh c\u1eafp, s\u1eeda \u0111\u1ed5i ho\u1eb7c x\u00f3a.<\/li>\n<li>C\u00e1c \u1ee9ng d\u1ee5ng web c\u00f3 \u0111i\u1ec3m y\u1ebfu trong x\u1eed l\u00fd \u0111\u1ea7u v\u00e0o, cho ph\u00e9p ch\u00e8n m\u00e3 SQL \u0111\u1ed9c h\u1ea1i tr\u1ef1c ti\u1ebfp v\u00e0o c\u00e2u truy v\u1ea5n nh\u01b0 c\u00e1c form \u0111\u0103ng nh\u1eadp, t\u00ecm ki\u1ebfm, c\u1eadp nh\u1eadt d\u1eef li\u1ec7u.<\/li>\n<li>Ngo\u00e0i ra, m\u1ed9t s\u1ed1 t\u1ea5n c\u00f4ng c\u00f2n nh\u1eafm v\u00e0o c\u00e1c ch\u1ee9c n\u0103ng m\u1edf r\u1ed9ng c\u1ee7a c\u01a1 s\u1edf d\u1eef li\u1ec7u nh\u01b0 xp_cmdshell trong MSSQL \u0111\u1ec3 th\u1ef1c thi l\u1ec7nh h\u1ec7 th\u1ed1ng v\u00e0 chi\u1ebfm quy\u1ec1n \u0111i\u1ec1u khi\u1ec3n server.<\/li>\n<\/ul>\n<p>Nh\u01b0 v\u1eady, m\u1ee5c ti\u00eau ch\u00ednh l\u00e0 c\u00e1c \u0111i\u1ec3m m\u00e0 \u1ee9ng d\u1ee5ng web t\u01b0\u01a1ng t\u00e1c v\u1edbi c\u01a1 s\u1edf d\u1eef li\u1ec7u qua c\u00e1c c\u00e2u truy v\u1ea5n SQL v\u00e0 c\u00f3 kh\u1ea3 n\u0103ng khai th\u00e1c l\u1ed7 h\u1ed5ng \u0111\u1ec3 th\u1ef1c thi c\u00e2u truy v\u1ea5n \u0111\u1ed9c h\u1ea1i, g\u00e2y m\u1ea5t an to\u00e0n d\u1eef li\u1ec7u v\u00e0 h\u1ec7 th\u1ed1ng.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Vi-du-ve-SQL-Injection\"><\/span>V\u00ed d\u1ee5 v\u1ec1 SQL Injection<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>V\u00ed d\u1ee5 ch\u00ednh x\u00e1c v\u1ec1 t\u1ea5n c\u00f4ng SQL Injection bao g\u1ed3m c\u00e1c tr\u01b0\u1eddng h\u1ee3p sau:<\/p>\n<p><strong>Bypass \u0111\u0103ng nh\u1eadp v\u1edbi payload <code>' OR 1=1--<\/code><\/strong><\/p>\n<ul>\n<li>Gi\u1ea3 s\u1eed c\u00e2u l\u1ec7nh SQL d\u00f9ng ki\u1ec3m tra \u0111\u0103ng nh\u1eadp l\u00e0:<code>SELECT * FROM users WHERE username='input' AND password='input'<\/code><\/li>\n<li>N\u1ebfu k\u1ebb t\u1ea5n c\u00f4ng nh\u1eadp username l\u00e0 <code>' OR 1=1--<\/code>, c\u00e2u truy v\u1ea5n s\u1ebd th\u00e0nh:<code>SELECT * FROM users WHERE username='' OR 1=1--' AND password='...'<\/code><\/li>\n<li>V\u00ec <code>1=1<\/code> lu\u00f4n \u0111\u00fang, truy v\u1ea5n tr\u1ea3 v\u1ec1 t\u1ea5t c\u1ea3 ng\u01b0\u1eddi d\u00f9ng, gi\u00fap k\u1ebb t\u1ea5n c\u00f4ng \u0111\u0103ng nh\u1eadp m\u00e0 kh\u00f4ng c\u1ea7n m\u1eadt kh\u1ea9u.<\/li>\n<\/ul>\n<p><strong>L\u1ea5y d\u1eef li\u1ec7u to\u00e0n b\u1ed9 b\u1ea3ng b\u1eb1ng <code>UNION SELECT<\/code><\/strong><\/p>\n<ul>\n<li>M\u1ed9t URL c\u00f3 tham s\u1ed1 nh\u01b0:<code>http:\/\/example.com\/items.asp?itemid=999 UNION SELECT username, password FROM users<\/code><\/li>\n<li>Khi n\u00e0y, c\u00e2u truy v\u1ea5n SQL \u0111\u01b0\u1ee3c n\u1ed1i th\u00eam \u0111\u1ec3 l\u1ea5y d\u1eef li\u1ec7u t\u00ean ng\u01b0\u1eddi d\u00f9ng v\u00e0 m\u1eadt kh\u1ea9u t\u1eeb b\u1ea3ng <code>users<\/code>, khi\u1ebfn d\u1eef li\u1ec7u nh\u1ea1y c\u1ea3m b\u1ecb l\u1ed9.<\/li>\n<\/ul>\n<p><strong>Th\u1ef1c thi c\u00e2u l\u1ec7nh nguy hi\u1ec3m nh\u01b0 x\u00f3a b\u1ea3ng<\/strong><\/p>\n<ul>\n<li>N\u1ebfu \u1ee9ng d\u1ee5ng kh\u00f4ng ki\u1ec3m tra \u0111\u1ea7u v\u00e0o, k\u1ebb t\u1ea5n c\u00f4ng c\u00f3 th\u1ec3 truy\u1ec1n:<code>itemid=999; DROP TABLE users<\/code><\/li>\n<li>C\u00e2u truy v\u1ea5n t\u1ea1o th\u00e0nh c\u00f3 th\u1ec3 th\u1ef1c thi c\u1ea3 c\u00e2u l\u1ec7nh <code>DROP TABLE users<\/code>, x\u00f3a to\u00e0n b\u1ed9 b\u1ea3ng ng\u01b0\u1eddi d\u00f9ng.<\/li>\n<\/ul>\n<p><strong>Khai th\u00e1c l\u1ed7i \u0111\u1ec3 d\u00f2 th\u00f4ng tin<\/strong><\/p>\n<ul>\n<li>K\u1ef9 thu\u1eadt error-based SQL Injection cho ph\u00e9p \u00e9p database tr\u1ea3 v\u1ec1 l\u1ed7i ch\u1ee9a th\u00f4ng tin, v\u00ed d\u1ee5:<code>' AND EXTRACTVALUE(1, CONCAT(0x7e, (SELECT version()), 0x7e))--<\/code><\/li>\n<li>T\u1eadn d\u1ee5ng l\u1ed7i c\u00fa ph\u00e1p \u0111\u1ec3 r\u00f2 r\u1ec9 phi\u00ean b\u1ea3n database v\u00e0 d\u1eef li\u1ec7u.<\/li>\n<\/ul>\n<p>C\u00e1c v\u00ed d\u1ee5 tr\u00ean minh h\u1ecda c\u00e1ch k\u1ebb t\u1ea5n c\u00f4ng l\u1ee3i d\u1ee5ng input kh\u00f4ng \u0111\u01b0\u1ee3c x\u00e1c th\u1ef1c \u0111\u1ec3 thay \u0111\u1ed5i c\u1ea5u tr\u00fac c\u00e2u truy v\u1ea5n, qua \u0111\u00f3 truy xu\u1ea5t, thay \u0111\u1ed5i ho\u1eb7c ph\u00e1 ho\u1ea1i d\u1eef li\u1ec7u trong h\u1ec7 th\u1ed1ng<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Cac-loai-SQL-Injection\"><\/span>C\u00e1c lo\u1ea1i SQL Injection<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>T\u1ea5n c\u00f4ng SQL Injection kh\u00f4ng ch\u1ec9 c\u00f3 m\u1ed9t d\u1ea1ng duy nh\u1ea5t, n\u00f3 \u0111\u01b0\u1ee3c chia th\u00e0nh nhi\u1ec1u lo\u1ea1i kh\u00e1c nhau d\u1ef1a tr\u00ean c\u00e1ch th\u1ee9c khai th\u00e1c v\u00e0 ph\u1ea3n h\u1ed3i t\u1eeb \u1ee9ng d\u1ee5ng.<\/p>\n<p>D\u01b0\u1edbi \u0111\u00e2y l\u00e0 c\u00e1c lo\u1ea1i SQL Injection th\u01b0\u1eddng g\u1eb7p:<\/p>\n<h3><span class=\"ez-toc-section\" id=\"In-band-SQLi-Tan-cong-SQLi-tren-cung-kenh\"><\/span>In-band SQLi (T\u1ea5n c\u00f4ng SQLi tr\u00ean c\u00f9ng k\u00eanh)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>\u0110\u00e2y l\u00e0 lo\u1ea1i t\u1ea5n c\u00f4ng ph\u1ed5 bi\u1ebfn nh\u1ea5t. K\u1ebb t\u1ea5n c\u00f4ng s\u1eed d\u1ee5ng c\u00f9ng m\u1ed9t k\u00eanh truy\u1ec1n th\u00f4ng \u0111\u1ec3 g\u1eedi payload (m\u00e3 \u0111\u1ed9c) v\u00e0 nh\u1eadn k\u1ebft qu\u1ea3.<\/p>\n<ul>\n<li><strong>Error-based SQLi:<\/strong> K\u1ebb t\u1ea5n c\u00f4ng s\u1eed d\u1ee5ng c\u00e1c h\u00e0m SQL \u0111\u1ec3 t\u1ea1o ra l\u1ed7i tr\u00ean c\u01a1 s\u1edf d\u1eef li\u1ec7u, v\u00e0 th\u00f4ng qua c\u00e1c th\u00f4ng b\u00e1o l\u1ed7i n\u00e0y, h\u1ecd c\u00f3 th\u1ec3 tr\u00edch xu\u1ea5t th\u00f4ng tin.<\/li>\n<li><strong>Union-based SQLi:<\/strong> K\u1ebb t\u1ea5n c\u00f4ng s\u1eed d\u1ee5ng to\u00e1n t\u1eed <code>UNION<\/code> \u0111\u1ec3 k\u1ebft h\u1ee3p k\u1ebft qu\u1ea3 t\u1eeb m\u1ed9t c\u00e2u l\u1ec7nh <code>SELECT<\/code> \u0111\u1ed9c h\u1ea1i v\u1edbi k\u1ebft qu\u1ea3 c\u1ee7a c\u00e2u l\u1ec7nh <code>SELECT<\/code> ban \u0111\u1ea7u, t\u1eeb \u0111\u00f3 l\u1ea5y \u0111\u01b0\u1ee3c d\u1eef li\u1ec7u t\u1eeb c\u00e1c b\u1ea3ng kh\u00e1c.<\/li>\n<\/ul>\n<figure id=\"attachment_32521\" aria-describedby=\"caption-attachment-32521\" style=\"width: 800px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-32521\" src=\"https:\/\/interdata.vn\/blog\/wp-content\/uploads\/2025\/08\/Cac-loai-tan-cong-SQL-Injection.jpg\" alt=\"C\u00e1c lo\u1ea1i t\u1ea5n c\u00f4ng SQL Injection\" width=\"800\" height=\"500\" title=\"\" srcset=\"https:\/\/interdata.vn\/blog\/wp-content\/uploads\/2025\/08\/Cac-loai-tan-cong-SQL-Injection.jpg 800w, https:\/\/interdata.vn\/blog\/wp-content\/uploads\/2025\/08\/Cac-loai-tan-cong-SQL-Injection-300x188.jpg 300w, https:\/\/interdata.vn\/blog\/wp-content\/uploads\/2025\/08\/Cac-loai-tan-cong-SQL-Injection-768x480.jpg 768w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><figcaption id=\"caption-attachment-32521\" class=\"wp-caption-text\">C\u00e1c lo\u1ea1i t\u1ea5n c\u00f4ng SQL Injection<\/figcaption><\/figure>\n<h3><span class=\"ez-toc-section\" id=\"Inferential-SQLi-Tan-cong-SQLi-suy-luan\"><\/span>Inferential SQLi (T\u1ea5n c\u00f4ng SQLi suy lu\u1eadn)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Trong tr\u01b0\u1eddng h\u1ee3p \u1ee9ng d\u1ee5ng kh\u00f4ng hi\u1ec3n th\u1ecb l\u1ed7i ho\u1eb7c d\u1eef li\u1ec7u tr\u1ef1c ti\u1ebfp, k\u1ebb t\u1ea5n c\u00f4ng s\u1ebd ph\u1ea3i &#8220;suy lu\u1eadn&#8221; k\u1ebft qu\u1ea3 b\u1eb1ng c\u00e1ch quan s\u00e1t ph\u1ea3n \u1ee9ng c\u1ee7a \u1ee9ng d\u1ee5ng.<\/p>\n<ul>\n<li><strong>Blind SQLi (Boolean-based):<\/strong> K\u1ebb t\u1ea5n c\u00f4ng g\u1eedi c\u00e1c c\u00e2u l\u1ec7nh SQL v\u1edbi c\u00e1c \u0111i\u1ec1u ki\u1ec7n \u0111\u00fang\/sai (Boolean). D\u1ef1a v\u00e0o vi\u1ec7c trang web c\u00f3 hi\u1ec3n th\u1ecb hay kh\u00f4ng, h\u1ecd s\u1ebd x\u00e1c \u0111\u1ecbnh \u0111\u01b0\u1ee3c t\u1eebng k\u00fd t\u1ef1 c\u1ee7a d\u1eef li\u1ec7u c\u1ea7n l\u1ea5y.<\/li>\n<li><strong>Blind SQLi (Time-based):<\/strong> K\u1ebb t\u1ea5n c\u00f4ng s\u1eed d\u1ee5ng c\u00e1c h\u00e0m l\u00e0m tr\u1ec5 th\u1eddi gian (v\u00ed d\u1ee5: <code>SLEEP()<\/code> trong MySQL). N\u1ebfu \u1ee9ng d\u1ee5ng ph\u1ea3n h\u1ed3i ch\u1eadm h\u01a1n b\u00ecnh th\u01b0\u1eddng, h\u1ecd bi\u1ebft r\u1eb1ng c\u00e2u l\u1ec7nh \u0111\u1ed9c h\u1ea1i \u0111\u00e3 \u0111\u01b0\u1ee3c th\u1ef1c thi th\u00e0nh c\u00f4ng.<\/li>\n<\/ul>\n<h3><span class=\"ez-toc-section\" id=\"Out-of-band-SQLi-Tan-cong-SQLi-ngoai-kenh\"><\/span>Out-of-band SQLi (T\u1ea5n c\u00f4ng SQLi ngo\u00e0i k\u00eanh)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Lo\u1ea1i t\u1ea5n c\u00f4ng n\u00e0y x\u1ea3y ra khi k\u1ebb t\u1ea5n c\u00f4ng kh\u00f4ng th\u1ec3 s\u1eed d\u1ee5ng c\u00f9ng m\u1ed9t k\u00eanh \u0111\u1ec3 l\u1ea5y d\u1eef li\u1ec7u. Thay v\u00e0o \u0111\u00f3, h\u1ecd s\u1ebd bu\u1ed9c c\u01a1 s\u1edf d\u1eef li\u1ec7u g\u1eedi d\u1eef li\u1ec7u \u0111\u1ebfn m\u1ed9t m\u00e1y ch\u1ee7 t\u1eeb xa m\u00e0 h\u1ecd ki\u1ec3m so\u00e1t, th\u01b0\u1eddng s\u1eed d\u1ee5ng c\u00e1c t\u00ednh n\u0103ng m\u1ea1ng c\u1ee7a ch\u00ednh c\u01a1 s\u1edf d\u1eef li\u1ec7u \u0111\u00f3.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Cac-vu-tan-cong-SQL-Injection-noi-tieng\"><\/span>C\u00e1c v\u1ee5 t\u1ea5n c\u00f4ng SQL Injection n\u1ed5i ti\u1ebfng<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><strong>V\u1ee5 t\u1ea5n c\u00f4ng quy m\u00f4 l\u1edbn v\u00e0o th\u00e1ng 5\/2017<\/strong>, khi h\u01a1n 10.000 m\u00e1y ch\u1ee7 b\u1ecb t\u1ea5n c\u00f4ng m\u1ea1nh m\u1ebd b\u1eb1ng brute-force SQL Injection. K\u1ebb t\u1ea5n c\u00f4ng s\u1eed d\u1ee5ng c\u00e1c truy v\u1ea5n t\u1ef1 \u0111\u1ed9ng \u0111\u1ec3 t\u00ecm ki\u1ebfm c\u00e1c web c\u00f3 l\u1ed7i b\u1ea3o m\u1eadt c\u00f3 th\u1ec3 khai th\u00e1c, l\u00e0m l\u00e2y nhi\u1ec5m malware v\u00e0 chi\u1ebfm quy\u1ec1n ki\u1ec3m so\u00e1t nhi\u1ec1u m\u00e1y ch\u1ee7 \u1edf Trung Qu\u1ed1c v\u00e0 \u0110\u00e0i Loan.<\/p>\n<p><strong>V\u1ee5 t\u1ea5n c\u00f4ng v\u00e0o CardSystems Solutions<\/strong>, m\u1ed9t c\u00f4ng ty l\u01b0u tr\u1eef c\u01a1 s\u1edf d\u1eef li\u1ec7u thanh to\u00e1n th\u1ebb. \u0110\u00e2y l\u00e0 m\u1ed9t trong nh\u1eefng v\u1ee5 t\u1ea5n c\u00f4ng SQL Injection n\u1ed5i ti\u1ebfng \u0111\u1ea7u ti\u00ean, khi\u1ebfn th\u00f4ng tin t\u00e0i ch\u00ednh v\u00e0 c\u00e1 nh\u00e2n c\u1ee7a ng\u01b0\u1eddi d\u00f9ng b\u1ecb r\u00f2 r\u1ec9 l\u1edbn. Tin t\u1eb7c \u0111\u00e3 l\u1ee3i d\u1ee5ng c\u00e1c form nh\u1eadp li\u1ec7u thi\u1ebfu ki\u1ec3m tra \u0111\u1ea7u v\u00e0o \u0111\u1ec3 ch\u00e8n m\u00e3 SQL \u0111\u1ed9c h\u1ea1i, chi\u1ebfm quy\u1ec1n ki\u1ec3m so\u00e1t m\u00e1y ch\u1ee7 d\u1eef li\u1ec7u.<\/p>\n<p><strong>Nh\u1eefng cu\u1ed9c t\u1ea5n c\u00f4ng t\u1eeb kho\u1ea3ng 2005 \u0111\u1ebfn 2008<\/strong> v\u1edbi c\u00e1c v\u1ee5 t\u1ea5n c\u00f4ng l\u1edbn li\u00ean quan \u0111\u1ebfn c\u00e1c trang ch\u00ednh ph\u1ee7 v\u00e0 doanh nghi\u1ec7p l\u1edbn. V\u00ed d\u1ee5, n\u0103m 2007 trang ch\u00ednh ph\u1ee7 Anh t\u1eebng b\u1ecb t\u1ea5n c\u00f4ng th\u00e0nh c\u00f4ng qua l\u1ed7 h\u1ed5ng SQL Injection, c\u0169ng nh\u01b0 m\u1ed9t s\u1ed1 cu\u1ed9c t\u1ea5n c\u00f4ng h\u00e0ng lo\u1ea1t do hacker Trung Qu\u1ed1c th\u1ef1c hi\u1ec7n trong giai \u0111o\u1ea1n \u0111\u00f3.<\/p>\n<p>Nh\u1eefng v\u1ee5 t\u1ea5n c\u00f4ng n\u00e0y \u0111\u1ec1u khai th\u00e1c c\u00e1c l\u1ed7i trong vi\u1ec7c x\u1eed l\u00fd d\u1eef li\u1ec7u \u0111\u1ea7u v\u00e0o c\u1ee7a c\u00e1c \u1ee9ng d\u1ee5ng web, g\u00e2y thi\u1ec7t h\u1ea1i n\u1eb7ng n\u1ec1 v\u1ec1 d\u1eef li\u1ec7u c\u00e1 nh\u00e2n, t\u00e0i ch\u00ednh c\u0169ng nh\u01b0 uy t\u00edn c\u1ee7a t\u1ed5 ch\u1ee9c, doanh nghi\u1ec7p b\u1ecb t\u1ea5n c\u00f4ng.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Cach-nhan-dien-lo-hong-SQL-injection\"><\/span>C\u00e1ch nh\u1eadn di\u1ec7n l\u1ed7 h\u1ed5ng SQL injection<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>C\u00e1ch ph\u00e1t hi\u1ec7n l\u1ed7 h\u1ed5ng SQL Injection th\u01b0\u1eddng \u0111\u01b0\u1ee3c th\u1ef1c hi\u1ec7n b\u1eb1ng c\u00e1ch ki\u1ec3m tra d\u1eef li\u1ec7u \u0111\u1ea7u v\u00e0o c\u1ee7a c\u00e1c tr\u01b0\u1eddng nh\u1eadp li\u1ec7u ho\u1eb7c tham s\u1ed1 URL b\u1eb1ng c\u00e1ch \u0111\u01b0a v\u00e0o c\u00e1c k\u00fd t\u1ef1 \u0111\u1eb7c bi\u1ec7t nh\u01b0 d\u1ea5u nh\u00e1y \u0111\u01a1n (&#8216;) ho\u1eb7c c\u00e1c \u0111o\u1ea1n m\u00e3 SQL g\u00e2y l\u1ed7i ho\u1eb7c thay \u0111\u1ed5i c\u1ea5u tr\u00fac truy v\u1ea5n, r\u1ed3i quan s\u00e1t ph\u1ea3n h\u1ed3i c\u1ee7a h\u1ec7 th\u1ed1ng.<\/p>\n<p>N\u1ebfu xu\u1ea5t hi\u1ec7n l\u1ed7i b\u1ea5t th\u01b0\u1eddng (v\u00ed d\u1ee5: th\u00f4ng b\u00e1o l\u1ed7i \u201cInternal Server Error\u201d), trang tr\u1eafng, ho\u1eb7c ph\u1ea3n h\u1ed3i kh\u00f4ng ph\u00f9 h\u1ee3p th\u00ec r\u1ea5t c\u00f3 th\u1ec3 \u1ee9ng d\u1ee5ng c\u00f3 l\u1ed7 h\u1ed5ng SQL Injection.<\/p>\n<figure id=\"attachment_32524\" aria-describedby=\"caption-attachment-32524\" style=\"width: 800px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-32524\" src=\"https:\/\/interdata.vn\/blog\/wp-content\/uploads\/2025\/08\/Cach-phat-hien-lo-hong-SQL-injection.jpg\" alt=\"C\u00e1ch ph\u00e1t hi\u1ec7n l\u1ed7 h\u1ed5ng SQL injection\" width=\"800\" height=\"500\" title=\"\" srcset=\"https:\/\/interdata.vn\/blog\/wp-content\/uploads\/2025\/08\/Cach-phat-hien-lo-hong-SQL-injection.jpg 800w, https:\/\/interdata.vn\/blog\/wp-content\/uploads\/2025\/08\/Cach-phat-hien-lo-hong-SQL-injection-300x188.jpg 300w, https:\/\/interdata.vn\/blog\/wp-content\/uploads\/2025\/08\/Cach-phat-hien-lo-hong-SQL-injection-768x480.jpg 768w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><figcaption id=\"caption-attachment-32524\" class=\"wp-caption-text\">C\u00e1ch ph\u00e1t hi\u1ec7n l\u1ed7 h\u1ed5ng SQL injection<\/figcaption><\/figure>\n<p>C\u00e1c ph\u01b0\u01a1ng ph\u00e1p c\u1ee5 th\u1ec3 \u0111\u1ec3 ph\u00e1t hi\u1ec7n bao g\u1ed3m:<\/p>\n<ul>\n<li>Th\u1eed nh\u1eadp k\u00fd hi\u1ec7u \u0111\u01a1n gi\u1ea3n nh\u01b0 d\u1ea5u nh\u00e1y \u0111\u01a1n (&#8216;) ho\u1eb7c d\u1ea5u nh\u00e1y k\u00e9p (&#8220;) v\u00e0o c\u00e1c tr\u01b0\u1eddng nh\u1eadp li\u1ec7u nh\u01b0 \u00f4 \u0111\u0103ng nh\u1eadp, t\u00ecm ki\u1ebfm, ho\u1eb7c c\u00e1c tham s\u1ed1 URL, ki\u1ec3m tra xem h\u1ec7 th\u1ed1ng c\u00f3 ph\u1ea3n h\u1ed3i l\u1ed7i hay kh\u00f4ng.<\/li>\n<li>Th\u1eed c\u00e1c payload ph\u1ed5 bi\u1ebfn nh\u01b0 &#8216; or 1=1&#8211;, &#8221; or 1=1&#8211;, hay &#8216; or &#8216;a&#8217;=&#8217;a \u0111\u1ec3 xem h\u1ec7 th\u1ed1ng c\u00f3 ph\u1ea3n \u1ee9ng v\u1edbi c\u00e1c truy v\u1ea5n SQL b\u1ecb b\u1ebb g\u00e3y hay kh\u00f4ng.<\/li>\n<li>Quan s\u00e1t c\u00e1c l\u1ed7i tr\u1ea3 v\u1ec1 t\u1eeb c\u01a1 s\u1edf d\u1eef li\u1ec7u, v\u00ed d\u1ee5 l\u1ed7i c\u00fa ph\u00e1p SQL ho\u1eb7c c\u00e1c th\u00f4ng b\u00e1o l\u1ed7i b\u1ea5t th\u01b0\u1eddng.<\/li>\n<li>Ki\u1ec3m tra t\u00ednh nh\u1ea5t qu\u00e1n c\u1ee7a k\u1ebft qu\u1ea3 v\u1edbi c\u00e1c \u0111i\u1ec1u ki\u1ec7n logic nh\u01b0 OR 1=1 (lu\u00f4n \u0111\u00fang) ho\u1eb7c OR 1=2 (lu\u00f4n sai) \u0111\u1ec3 ph\u00e1t hi\u1ec7n thay \u0111\u1ed5i trong k\u1ebft qu\u1ea3 tr\u1ea3 v\u1ec1, t\u1eeb \u0111\u00f3 x\u00e1c \u0111\u1ecbnh l\u1ed7 h\u1ed5ng.<\/li>\n<li>S\u1eed d\u1ee5ng c\u00e1c ph\u01b0\u01a1ng ph\u00e1p t\u1ea5n c\u00f4ng d\u1ef1a tr\u00ean th\u1eddi gian (time-based) \u0111\u1ec3 \u0111o ph\u1ea3n h\u1ed3i ch\u1eadm c\u1ee7a h\u1ec7 th\u1ed1ng khi th\u1ef1c hi\u1ec7n c\u00e1c truy v\u1ea5n \u0111\u1eb7c bi\u1ec7t.<\/li>\n<li>Xem x\u00e9t logs c\u1ee7a m\u00e1y ch\u1ee7 \u0111\u1ec3 t\u00ecm d\u1ea5u hi\u1ec7u truy v\u1ea5n b\u1ea5t th\u01b0\u1eddng ho\u1eb7c l\u1ed7i t\u1eeb c\u01a1 s\u1edf d\u1eef li\u1ec7u.<\/li>\n<li>D\u00f9ng c\u00e1c c\u00f4ng c\u1ee5 t\u1ef1 \u0111\u1ed9ng nh\u01b0 SQLMap, Burp Suite, OWASP ZAP \u0111\u1ec3 qu\u00e9t v\u00e0 ph\u00e1t hi\u1ec7n l\u1ed7 h\u1ed5ng SQL Injection m\u1ed9t c\u00e1ch ch\u00ednh x\u00e1c v\u00e0 hi\u1ec7u qu\u1ea3 h\u01a1n.<\/li>\n<\/ul>\n<p>Vi\u1ec7c ph\u00e1t hi\u1ec7n l\u1ed7 h\u1ed5ng SQL Injection b\u1eaft \u0111\u1ea7u t\u1eeb ki\u1ec3m tra th\u1ee7 c\u00f4ng \u0111\u01a1n gi\u1ea3n v\u1edbi c\u00e1c k\u00fd t\u1ef1 \u0111\u1eb7c bi\u1ec7t v\u00e0 c\u00e1c payload th\u00f4ng d\u1ee5ng, quan s\u00e1t l\u1ed7i ho\u1eb7c ph\u1ea3n h\u1ed3i b\u1ea5t th\u01b0\u1eddng, v\u00e0 c\u00f3 th\u1ec3 n\u00e2ng cao s\u1eed d\u1ee5ng c\u00e1c c\u00f4ng c\u1ee5 t\u1ef1 \u0111\u1ed9ng chuy\u00ean d\u1ee5ng \u0111\u1ec3 ki\u1ec3m tra s\u00e2u h\u01a1n.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Cach-phong-chong-SQL-Injection-hieu-qua\"><\/span>C\u00e1ch ph\u00f2ng ch\u1ed1ng SQL Injection hi\u1ec7u qu\u1ea3<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Nh\u1eefng c\u00e1ch ph\u00f2ng ch\u1ed1ng t\u1ea5n c\u00f4ng SQL Injection \u0111\u00f2i h\u1ecfi s\u1ef1 k\u1ebft h\u1ee3p c\u1ee7a nhi\u1ec1u bi\u1ec7n ph\u00e1p k\u1ef9 thu\u1eadt v\u00e0 quy tr\u00ecnh b\u1ea3o m\u1eadt. D\u01b0\u1edbi \u0111\u00e2y l\u00e0 nh\u1eefng ph\u01b0\u01a1ng ph\u00e1p hi\u1ec7u qu\u1ea3 nh\u1ea5t m\u00e0 c\u00e1c l\u1eadp tr\u00ecnh vi\u00ean v\u00e0 qu\u1ea3n tr\u1ecb vi\u00ean h\u1ec7 th\u1ed1ng c\u1ea7n \u00e1p d\u1ee5ng.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Su-dung-Prepared-Statements-voi-parameterized-queries\"><\/span>S\u1eed d\u1ee5ng Prepared Statements v\u1edbi parameterized queries<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>S\u1eed d\u1ee5ng Prepared Statements v\u1edbi parameterized queries l\u00e0 ph\u01b0\u01a1ng ph\u00e1p ph\u00f2ng ch\u1ed1ng <strong>\u0111\u01b0\u1ee3c khuy\u1ebfn kh\u00edch nh\u1ea5t<\/strong>. Thay v\u00ec gh\u00e9p chu\u1ed7i truy v\u1ea5n tr\u1ef1c ti\u1ebfp t\u1eeb d\u1eef li\u1ec7u ng\u01b0\u1eddi d\u00f9ng, b\u1ea1n s\u1eed d\u1ee5ng c\u00e1c tham s\u1ed1 (placeholder) \u0111\u1ec3 \u0111\u00e1nh d\u1ea5u v\u1ecb tr\u00ed d\u1eef li\u1ec7u s\u1ebd \u0111\u01b0\u1ee3c \u0111\u01b0a v\u00e0o. C\u01a1 s\u1edf d\u1eef li\u1ec7u s\u1ebd ph\u00e2n t\u00edch c\u00fa ph\u00e1p truy v\u1ea5n tr\u01b0\u1edbc khi nh\u1eadn d\u1eef li\u1ec7u, \u0111\u1ea3m b\u1ea3o r\u1eb1ng d\u1eef li\u1ec7u \u0111\u1ea7u v\u00e0o kh\u00f4ng th\u1ec3 thay \u0111\u1ed5i c\u1ea5u tr\u00fac c\u1ee7a c\u00e2u l\u1ec7nh SQL.<\/p>\n<p>V\u00ed d\u1ee5: Thay v\u00ec <code>SELECT * FROM users WHERE username = ' $username'<\/code>, b\u1ea1n s\u1ebd d\u00f9ng Prepared Statements: <code>SELECT * FROM users WHERE username = ?<\/code><\/p>\n<h3><span class=\"ez-toc-section\" id=\"Kiem-tra-va-loc-du-lieu-dau-vao\"><\/span>Ki\u1ec3m tra v\u00e0 l\u1ecdc d\u1eef li\u1ec7u \u0111\u1ea7u v\u00e0o<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Lu\u00f4n lu\u00f4n ki\u1ec3m tra v\u00e0 l\u00e0m s\u1ea1ch (sanitize) d\u1eef li\u1ec7u t\u1eeb ng\u01b0\u1eddi d\u00f9ng tr\u01b0\u1edbc khi s\u1eed d\u1ee5ng trong c\u00e2u l\u1ec7nh SQL. Lo\u1ea1i b\u1ecf c\u00e1c k\u00fd t\u1ef1 \u0111\u1eb7c bi\u1ec7t ho\u1eb7c c\u00e1c chu\u1ed7i c\u00f3 th\u1ec3 g\u00e2y nguy hi\u1ec3m. Tuy nhi\u00ean, ph\u01b0\u01a1ng ph\u00e1p n\u00e0y c\u00f3 th\u1ec3 kh\u00f4ng ho\u00e0n to\u00e0n hi\u1ec7u qu\u1ea3 n\u1ebfu kh\u00f4ng \u0111\u01b0\u1ee3c th\u1ef1c hi\u1ec7n m\u1ed9t c\u00e1ch c\u1ea9n th\u1eadn v\u00e0 \u0111\u1ea7y \u0111\u1ee7.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Su-dung-Tuong-lua-Ung-dung-Web-WAF\"><\/span>S\u1eed d\u1ee5ng T\u01b0\u1eddng l\u1eeda \u1ee8ng d\u1ee5ng Web (WAF)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>WAF l\u00e0 m\u1ed9t <strong>l\u1edbp b\u1ea3o v\u1ec7 b\u00ean ngo\u00e0i<\/strong>, gi\u00fap l\u1ecdc v\u00e0 ch\u1eb7n c\u00e1c y\u00eau c\u1ea7u \u0111\u1ed9c h\u1ea1i \u0111\u1ebfn \u1ee9ng d\u1ee5ng c\u1ee7a b\u1ea1n tr\u01b0\u1edbc khi ch\u00fang ch\u1ea1m t\u1edbi m\u00e1y ch\u1ee7. WAF c\u00f3 th\u1ec3 nh\u1eadn di\u1ec7n v\u00e0 ng\u0103n ch\u1eb7n c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng SQL Injection th\u00f4ng qua c\u00e1c quy t\u1eafc v\u00e0 signature \u0111\u01b0\u1ee3c thi\u1ebft l\u1eadp. WAF c\u00f3 th\u1ec3 gi\u1ea3m thi\u1ec3u r\u1ee7i ro nh\u01b0ng kh\u00f4ng thay th\u1ebf l\u1eadp tr\u00ecnh an to\u00e0n.<\/p>\n<figure id=\"attachment_32522\" aria-describedby=\"caption-attachment-32522\" style=\"width: 800px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-32522\" src=\"https:\/\/interdata.vn\/blog\/wp-content\/uploads\/2025\/08\/Cach-ngan-chan-SQL-injection-hieu-qua-nhat.jpg\" alt=\"C\u00e1ch ng\u0103n ch\u1eb7n SQL injection hi\u1ec7u qu\u1ea3 nh\u1ea5t\" width=\"800\" height=\"500\" title=\"\" srcset=\"https:\/\/interdata.vn\/blog\/wp-content\/uploads\/2025\/08\/Cach-ngan-chan-SQL-injection-hieu-qua-nhat.jpg 800w, https:\/\/interdata.vn\/blog\/wp-content\/uploads\/2025\/08\/Cach-ngan-chan-SQL-injection-hieu-qua-nhat-300x188.jpg 300w, https:\/\/interdata.vn\/blog\/wp-content\/uploads\/2025\/08\/Cach-ngan-chan-SQL-injection-hieu-qua-nhat-768x480.jpg 768w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><figcaption id=\"caption-attachment-32522\" class=\"wp-caption-text\">C\u00e1ch ng\u0103n ch\u1eb7n SQL injection hi\u1ec7u qu\u1ea3 nh\u1ea5t<\/figcaption><\/figure>\n<h3><span class=\"ez-toc-section\" id=\"Phan-quyen-nguoi-dung-hop-ly\"><\/span>Ph\u00e2n quy\u1ec1n ng\u01b0\u1eddi d\u00f9ng h\u1ee3p l\u00fd<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Nguy\u00ean t\u1eafc \u00edt \u0111\u1eb7c quy\u1ec1n nh\u1ea5t (Principle of Least Privilege) c\u1ea7n \u0111\u01b0\u1ee3c \u00e1p d\u1ee5ng. Ch\u1ec9 c\u1ea5p cho t\u00e0i kho\u1ea3n truy c\u1eadp c\u01a1 s\u1edf d\u1eef li\u1ec7u nh\u1eefng quy\u1ec1n h\u1ea1n t\u1ed1i thi\u1ec3u c\u1ea7n thi\u1ebft \u0111\u1ec3 th\u1ef1c hi\u1ec7n ch\u1ee9c n\u0103ng c\u1ee7a \u1ee9ng d\u1ee5ng.<\/p>\n<p>V\u00ed d\u1ee5, t\u00e0i kho\u1ea3n k\u1ebft n\u1ed1i t\u1eeb \u1ee9ng d\u1ee5ng ch\u1ec9 n\u00ean c\u00f3 quy\u1ec1n <code>SELECT<\/code> v\u00e0 <code>INSERT<\/code>, kh\u00f4ng n\u00ean c\u00f3 quy\u1ec1n <code>DROP<\/code> hay <code>DELETE<\/code>.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Khong-cong-chuoi-de-tao-SQL\"><\/span>Kh\u00f4ng c\u1ed9ng chu\u1ed7i \u0111\u1ec3 t\u1ea1o SQL<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Kh\u00f4ng t\u1ea1o c\u00e2u l\u1ec7nh SQL b\u1eb1ng c\u00e1ch n\u1ed1i chu\u1ed7i (concatenation) tr\u1ef1c ti\u1ebfp v\u1edbi d\u1eef li\u1ec7u ng\u01b0\u1eddi d\u00f9ng m\u00e0 lu\u00f4n s\u1eed d\u1ee5ng tham s\u1ed1 h\u00f3a \u0111\u1ec3 tr\u00e1nh nguy c\u01a1 ch\u00e8n m\u00e3 \u0111\u1ed9c.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"An-thong-tin-loi-va-thong-bao-chi-tiet\"><\/span>\u1ea8n th\u00f4ng tin l\u1ed7i v\u00e0 th\u00f4ng b\u00e1o chi ti\u1ebft<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Kh\u00f4ng hi\u1ec3n th\u1ecb th\u00f4ng b\u00e1o l\u1ed7i chi ti\u1ebft ho\u1eb7c exception tr\u1ea3 v\u1ec1 t\u1eeb database ra ngo\u00e0i, v\u00ec tin t\u1eb7c c\u00f3 th\u1ec3 d\u1ef1a v\u00e0o \u0111\u00f3 \u0111\u1ec3 khai th\u00e1c c\u1ea5u tr\u00fac c\u01a1 s\u1edf d\u1eef li\u1ec7u.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Sao-luu-du-lieu-dinh-ky\"><\/span>Sao l\u01b0u d\u1eef li\u1ec7u \u0111\u1ecbnh k\u1ef3<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Th\u01b0\u1eddng xuy\u00ean backup d\u1eef li\u1ec7u \u0111\u1ec3 ph\u00f2ng tr\u01b0\u1eddng h\u1ee3p b\u1ecb t\u1ea5n c\u00f4ng ho\u1eb7c m\u1ea5t m\u00e1t d\u1eef li\u1ec7u th\u00ec c\u00f3 th\u1ec3 kh\u00f4i ph\u1ee5c nhanh ch\u00f3ng, gi\u1ea3m thi\u1ec3u thi\u1ec7t h\u1ea1i.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Han-che-quyen-cho-tai-khoan-ket-noi-database\"><\/span>H\u1ea1n ch\u1ebf quy\u1ec1n cho t\u00e0i kho\u1ea3n k\u1ebft n\u1ed1i database<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>S\u1eed d\u1ee5ng nguy\u00ean t\u1eafc \u00edt \u0111\u1eb7c quy\u1ec1n nh\u1ea5t (Principle of Least Privilege), ch\u1ec9 c\u1ea5p quy\u1ec1n v\u1eeba \u0111\u1ee7 cho t\u00e0i kho\u1ea3n \u1ee9ng d\u1ee5ng, tr\u00e1nh d\u00f9ng t\u00e0i kho\u1ea3n root ho\u1eb7c qu\u1ea3n tr\u1ecb \u0111\u1ec3 k\u1ebft n\u1ed1i \u1ee9ng d\u1ee5ng, nh\u1eb1m h\u1ea1n ch\u1ebf thi\u1ec7t h\u1ea1i khi b\u1ecb t\u1ea5n c\u00f4ng.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Su-dung-ORM-Frameworks\"><\/span>S\u1eed d\u1ee5ng ORM Frameworks<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>C\u00e1c framework ORM hi\u1ec7n \u0111\u1ea1i (nh\u01b0 Hibernate, Sequelize, TypeORM, Prisma) t\u1ef1 \u0111\u1ed9ng t\u1ea1o ra c\u00e1c truy v\u1ea5n an to\u00e0n, ORM gi\u00fap gi\u1ea3m nguy c\u01a1 khi s\u1eed d\u1ee5ng \u0111\u00fang c\u00e1ch, nh\u01b0ng v\u1eabn c\u00f3 th\u1ec3 b\u1ecb SQLi n\u1ebfu l\u1eadp tr\u00ecnh vi\u00ean vi\u1ebft raw query.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Ket-hop-bao-ve-da-lop-voi-RASP\"><\/span>K\u1ebft h\u1ee3p b\u1ea3o v\u1ec7 \u0111a l\u1edbp v\u1edbi RASP<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Ngo\u00e0i WAF, c\u00f3 th\u1ec3 s\u1eed d\u1ee5ng c\u00e1c gi\u1ea3i ph\u00e1p runtime application self-protection (RASP) \u0111\u1ec3 gi\u00e1m s\u00e1t v\u00e0 b\u1ea3o v\u1ec7 \u1ee9ng d\u1ee5ng trong qu\u00e1 tr\u00ecnh th\u1ef1c thi, k\u1ecbp th\u1eddi ph\u00e1t hi\u1ec7n v\u00e0 ng\u0103n ch\u1eb7n c\u00e1c h\u00e0nh vi b\u1ea5t th\u01b0\u1eddng.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Kiem-thu-bao-mat-dinh-ky\"><\/span>Ki\u1ec3m th\u1eed b\u1ea3o m\u1eadt \u0111\u1ecbnh k\u1ef3<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Th\u1ef1c hi\u1ec7n pentest chuy\u00ean nghi\u1ec7p k\u1ebft h\u1ee3p v\u1edbi vi\u1ec7c d\u00f9ng c\u00e1c c\u00f4ng c\u1ee5 qu\u00e9t t\u1ef1 \u0111\u1ed9ng nh\u01b0 SQLMap, OWASP ZAP th\u01b0\u1eddng xuy\u00ean \u0111\u1ec3 ph\u00e1t hi\u1ec7n v\u00e0 x\u1eed l\u00fd c\u00e1c l\u1ed7 h\u1ed5ng SQL Injection s\u1edbm.<\/p>\n<p>\u0110\u1ec3 ph\u00f2ng ch\u1ed1ng SQL Injection m\u1ed9t c\u00e1ch hi\u1ec7u qu\u1ea3 nh\u1ea5t c\u1ea7n \u00e1p d\u1ee5ng k\u1ebft h\u1ee3p nhi\u1ec1u bi\u1ec7n ph\u00e1p k\u1ef9 thu\u1eadt v\u00e0 qu\u1ea3n tr\u1ecb t\u1eeb vi\u1ec7c vi\u1ebft code an to\u00e0n, ki\u1ec3m tra d\u1eef li\u1ec7u, ph\u00e2n quy\u1ec1n, b\u1ea3o v\u1ec7 \u0111\u01b0\u1eddng truy\u1ec1n \u0111\u1ebfn ki\u1ec3m th\u1eed v\u00e0 gi\u00e1m s\u00e1t h\u1ec7 th\u1ed1ng li\u00ean t\u1ee5c.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Cac-cau-hoi-thuong-gap-ve-SQL-Injection-FAQs\"><\/span>C\u00e1c c\u00e2u h\u1ecfi th\u01b0\u1eddng g\u1eb7p v\u1ec1 SQL Injection (FAQs)<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<h3><span class=\"ez-toc-section\" id=\"SQL-Injection-co-nguy-hiem-khong\"><\/span>SQL Injection c\u00f3 nguy hi\u1ec3m kh\u00f4ng?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>SQL Injection l\u00e0 m\u1ed9t trong nh\u1eefng l\u1ed7 h\u1ed5ng b\u1ea3o m\u1eadt nguy hi\u1ec3m nh\u1ea5t. N\u00f3 c\u00f3 th\u1ec3 d\u1eabn \u0111\u1ebfn vi\u1ec7c r\u00f2 r\u1ec9 d\u1eef li\u1ec7u nh\u1ea1y c\u1ea3m, chi\u1ebfm quy\u1ec1n ki\u1ec3m so\u00e1t m\u00e1y ch\u1ee7 v\u00e0 g\u00e2y ra nh\u1eefng thi\u1ec7t h\u1ea1i nghi\u00eam tr\u1ecdng v\u1ec1 t\u00e0i ch\u00ednh, uy t\u00edn cho doanh nghi\u1ec7p.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"SQL-Injection-co-giong-voi-Cross-Site-Scripting-XSS-khong\"><\/span>SQL Injection c\u00f3 gi\u1ed1ng v\u1edbi Cross-Site Scripting (XSS) kh\u00f4ng?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Kh\u00f4ng, ch\u00fang l\u00e0 hai l\u1ed7 h\u1ed5ng kh\u00e1c nhau. SQL Injection nh\u1eafm v\u00e0o c\u01a1 s\u1edf d\u1eef li\u1ec7u c\u1ee7a \u1ee9ng d\u1ee5ng, trong khi XSS nh\u1eafm v\u00e0o ng\u01b0\u1eddi d\u00f9ng cu\u1ed1i b\u1eb1ng c\u00e1ch ch\u00e8n m\u00e3 \u0111\u1ed9c v\u00e0o trang web \u0111\u1ec3 ch\u1ea1y tr\u00ean tr\u00ecnh duy\u1ec7t c\u1ee7a h\u1ecd.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Lam-the-nao-de-hoc-ve-SQL-Injection\"><\/span>L\u00e0m th\u1ebf n\u00e0o \u0111\u1ec3 h\u1ecdc v\u1ec1 SQL Injection?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>B\u1ea1n c\u00f3 th\u1ec3 b\u1eaft \u0111\u1ea7u v\u1edbi c\u00e1c ngu\u1ed3n t\u00e0i li\u1ec7u tr\u1ef1c tuy\u1ebfn c\u1ee7a OWASP, tham gia c\u00e1c kh\u00f3a h\u1ecdc v\u1ec1 an to\u00e0n th\u00f4ng tin ho\u1eb7c th\u1ef1c h\u00e0nh tr\u00ean c\u00e1c n\u1ec1n t\u1ea3ng CTF (Capture The Flag) \u0111\u1ec3 hi\u1ec3u r\u00f5 h\u01a1n v\u1ec1 c\u00e1c k\u1ef9 thu\u1eadt t\u1ea5n c\u00f4ng v\u00e0 ph\u00f2ng ch\u1ed1ng.<\/p>\n<p>SQL Injection kh\u00f4ng ch\u1ec9 l\u00e0 m\u1ed9t l\u1ed7 h\u1ed5ng b\u1ea3o m\u1eadt \u0111\u01a1n gi\u1ea3n m\u00e0 c\u00f2n l\u00e0 c\u00e1nh c\u1eeda \u0111\u1ec3 hacker x\u00e2m nh\u1eadp, \u0111\u00e1nh c\u1eafp d\u1eef li\u1ec7u quan tr\u1ecdng v\u00e0 g\u00e2y thi\u1ec7t h\u1ea1i n\u1eb7ng n\u1ec1 cho doanh nghi\u1ec7p. Tuy nguy hi\u1ec3m, nh\u01b0ng v\u1edbi nh\u1eefng bi\u1ec7n ph\u00e1p ph\u00f2ng ch\u1ed1ng nh\u01b0 Prepared Statements, ORM Frameworks, ki\u1ec3m so\u00e1t input, v\u00e0 s\u1eed d\u1ee5ng Web Application Firewall (WAF), b\u1ea1n ho\u00e0n to\u00e0n c\u00f3 th\u1ec3 gi\u1ea3m thi\u1ec3u r\u1ee7i ro v\u00e0 b\u1ea3o v\u1ec7 h\u1ec7 th\u1ed1ng an to\u00e0n.<\/p>\n<p>Vi\u1ec7c hi\u1ec3u SQL Injection l\u00e0 g\u00ec v\u00e0 \u00e1p d\u1ee5ng c\u00e1c ph\u01b0\u01a1ng ph\u00e1p ph\u00f2ng ch\u1ed1ng ngay t\u1eeb kh\u00e2u ph\u00e1t tri\u1ec3n ph\u1ea7n m\u1ec1m ch\u00ednh l\u00e0 ch\u00eca kh\u00f3a gi\u00fap website c\u1ee7a b\u1ea1n an to\u00e0n, \u1ed5n \u0111\u1ecbnh v\u00e0 \u0111\u00e1ng tin c\u1eady h\u01a1n. N\u1ebfu b\u1ea1n \u0111ang t\u00ecm ki\u1ebfm gi\u1ea3i ph\u00e1p b\u1ea3o m\u1eadt ho\u1eb7c hosting an to\u00e0n, h\u00e3y tham kh\u1ea3o th\u00eam d\u1ecbch v\u1ee5 c\u1ee7a ch\u00fang t\u00f4i \u0111\u1ec3 \u0111\u01b0\u1ee3c h\u1ed7 tr\u1ee3 t\u1ed1t nh\u1ea5t.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>B\u1ea1n c\u00f3 bi\u1ebft r\u1eb1ng ch\u1ec9 v\u1edbi m\u1ed9t \u0111o\u1ea1n code nh\u1ecf, hacker c\u00f3 th\u1ec3 chi\u1ebfm quy\u1ec1n \u0111i\u1ec1u khi\u1ec3n to\u00e0n b\u1ed9 c\u01a1 s\u1edf d\u1eef li\u1ec7u website c\u1ee7a b\u1ea1n? \u0110\u00f3 ch\u00ednh l\u00e0 l\u1ed7 h\u1ed5ng SQL Injection (SQLi) \u2013 m\u1ed9t trong nh\u1eefng k\u1ef9 thu\u1eadt t\u1ea5n c\u00f4ng ph\u1ed5 bi\u1ebfn v\u00e0 nguy hi\u1ec3m nh\u1ea5t. Trong b\u00e0i vi\u1ebft n\u00e0y, ch\u00fang ta s\u1ebd<\/p>\n","protected":false},"author":11,"featured_media":32523,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[83],"tags":[],"class_list":["post-22491","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-bao-mat-an-ninh-mang"],"_links":{"self":[{"href":"https:\/\/interdata.vn\/blog\/wp-json\/wp\/v2\/posts\/22491","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/interdata.vn\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/interdata.vn\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/interdata.vn\/blog\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/interdata.vn\/blog\/wp-json\/wp\/v2\/comments?post=22491"}],"version-history":[{"count":5,"href":"https:\/\/interdata.vn\/blog\/wp-json\/wp\/v2\/posts\/22491\/revisions"}],"predecessor-version":[{"id":33346,"href":"https:\/\/interdata.vn\/blog\/wp-json\/wp\/v2\/posts\/22491\/revisions\/33346"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/interdata.vn\/blog\/wp-json\/wp\/v2\/media\/32523"}],"wp:attachment":[{"href":"https:\/\/interdata.vn\/blog\/wp-json\/wp\/v2\/media?parent=22491"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/interdata.vn\/blog\/wp-json\/wp\/v2\/categories?post=22491"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/interdata.vn\/blog\/wp-json\/wp\/v2\/tags?post=22491"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}