Methods to prevent DDoS based MySQL queries submitted through URL string

StackOverflow https://stackoverflow.com/questions/19496097

Question

I'm working with a site that I did not create. It appears I'm dealing with a DDoS and/or SQL injection attack that involves querying the database through a URL string. I'm currently looking into the method of "adding slashes" to the query which I'm told would help is the attack if form-based:

http://php.net/manual/en/function.addslashes.php

If that doesn't work, I was curious if there was a way to simply limit how often queries can be performed per session, per IP or any other variable that might at least slow the attack. Thank you in advance.

Was it helpful?

Solution

Yes, you can limit the usage per user per hour in MySQL:
http://dev.mysql.com/doc/refman/5.6/en/user-resources.html

However, most web apps use a single MySQL username for all application users. So this might just serve to throttle your whole website.

The addslashes function is not the right solution for preventing SQL injection. Every MySQL API includes a more appropriate escaping function, for example mysqli_real_escape_string() or PDO::quote().

But even better is to use prepared statements with query parameters instead of escaping and concatenating variables into SQL query strings.

Examples are easy to find if you examine other questions with the tag. One of the best answers is in How can I prevent SQL injection in PHP?

I wrote a popular presentation about this: SQL Injection Myths and Fallacies.

OTHER TIPS

  1. How can I prevent SQL injection in PHP?
  2. Sorry, but first you need to understand what Distributed DOS attack is. Because neither per-session limit, nor per-IP will do any help. You may also wish to confirm if it really DOS attack at all, not just badly written code which slows down the site under simple spamming bots.
  3. You may wish to confirm, if it really injections at all. There are may questions already asking about injections where just silly spam-bots filling openly-accessed web-forms.

Frankly, you have to be WAY MORE CERTAIN with your question. Otherwise no direct highbrow answer will be of any actual help.

By the way, it is unclear from your question, and hardly believable, but if your site really running whole SQL queries received via GET request - no action or software would help.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top