0

Today someone with a bot tried to make a mess on my database by submitting a form on my website many many times. On my database rows I've found fields filled with strings like these:

  1. -1 OR 2+562-562-1=0+0+0+1
  2. 555
  3. LJanLlog
  4. TwIvCbrf' OR 754=(SELECT 754
  5. FROM PG_SLEEP(15))--
  6. 0"XOR(if(now()=sysdate(),sleep(15),0))XOR"Z
  7. if(now()=sysdate(),sleep(15),0)
  8. 0"XOR(if(now()=sysdate(),sleep(15),0))XOR"Z
  9. 1*DBMS_PIPE.RECEIVE_MESSAGE(CHR(99)||CHR(99)||CHR(99),15)

I've ask to my provider to turn off my website.

How can I prevent something like this? Is there any way to check if someone is submitting something like above and in case redirect him without make the query?

I sanitized any field already.

Thank you.

Paolo De Feo
  • 3
  • 1
  • 2
    "I sanitized any field already" - are using prepared statements for **all** queries, and escaping on **all** output? Filtering should be done for specific data types, but can’t really account for everything. – Chris Haas Jun 11 '22 at 17:25
  • 1
    first change your form and add a captcha or a field that user of your site would know but a bot not, update everything, and then check your ome if all scripts are secure, with prepared statements. – nbk Jun 11 '22 at 17:29
  • How this question is even related to SQL injection? If you don't want bots to fill your forms with nonsense text then simply add captcha – Your Common Sense Jun 12 '22 at 05:11
  • Your Common Sense, thanks, I'm going to add a captcha. Do you know what the "cracker" tried to do? I've turned off the website for now but is there a way to know if he succeed – Paolo De Feo Jun 12 '22 at 11:09
  • He was trying different sql injections, but if you have your SQL inputs properly treated, then you already know he didn't succeed. FYI, every site in the world gets thousands such requests every day. That's just wide breadth scanning, just in case – Your Common Sense Jun 12 '22 at 11:32

0 Answers0