2

I'm working with a site that I did not create. It appears I'm dealing with a DDoS and/or SQL injection attack that involves querying the database through a URL string. I'm currently looking into the method of "adding slashes" to the query which I'm told would help is the attack if form-based:

http://php.net/manual/en/function.addslashes.php

If that doesn't work, I was curious if there was a way to simply limit how often queries can be performed per session, per IP or any other variable that might at least slow the attack. Thank you in advance.

sparecycle
  • 2,038
  • 5
  • 31
  • 58

2 Answers2

7

Yes, you can limit the usage per user per hour in MySQL:
http://dev.mysql.com/doc/refman/5.6/en/user-resources.html

However, most web apps use a single MySQL username for all application users. So this might just serve to throttle your whole website.

The addslashes function is not the right solution for preventing SQL injection. Every MySQL API includes a more appropriate escaping function, for example mysqli_real_escape_string() or PDO::quote().

But even better is to use prepared statements with query parameters instead of escaping and concatenating variables into SQL query strings.

Examples are easy to find if you examine other questions with the tag. One of the best answers is in How can I prevent SQL injection in PHP?

I wrote a popular presentation about this: SQL Injection Myths and Fallacies.

Community
  • 1
  • 1
Bill Karwin
  • 538,548
  • 86
  • 673
  • 828
  • Thankfully the origin dev team did use multiple MySQL users so there is that much. I will review your links and do some more research. Much appreciated Bill. – sparecycle Oct 21 '13 at 14:04
1
  1. How can I prevent SQL injection in PHP?
  2. Sorry, but first you need to understand what Distributed DOS attack is. Because neither per-session limit, nor per-IP will do any help. You may also wish to confirm if it really DOS attack at all, not just badly written code which slows down the site under simple spamming bots.
  3. You may wish to confirm, if it really injections at all. There are may questions already asking about injections where just silly spam-bots filling openly-accessed web-forms.

Frankly, you have to be WAY MORE CERTAIN with your question. Otherwise no direct highbrow answer will be of any actual help.

By the way, it is unclear from your question, and hardly believable, but if your site really running whole SQL queries received via GET request - no action or software would help.

Community
  • 1
  • 1
Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
  • Based on logs, I am experiencing a huge spike in the number of connections to the site in very odd hours and from locations outside the primary geography of 90% of the users. Our CDN is already blocking a significant number of connections. This compounds the fact that code isn't exactly award winning PHP. Thank you for the link and the advice. – sparecycle Oct 21 '13 at 14:10