Magento 1.9 Security – How to Stop Spam Bots and SQL Injections
magento-1.9searchSecurity
how do I stop this?
Hundreds upon hundreds of these searches.
Best Answer
First of all: These were blind attacks that most likely did not have any effect, a successful SQL injection should not be possible with these search queries.
But it's still bad for two reasons:
the sheer number of these requests could take too many resources if they come in short time. As Anna Völk suggested in the comments, check your access logs if they come from certain IP ranges and block these IPs as soon as the requests start coming in.
other users will receive these searches as suggestions because they actually returned results. This is due to Magentos default LIKE search algorithm where you get all results where at least one word matches. Changing this from OR to AND improves the search results and makes searches like these return nothing, so that they won't show up as suggestions anymore.
Check the length of the variable you get via GET-parameter. There's no need to accept a neverending long string.
Validate for a domain name. What kind of format do your expected domain names have? Is it always www.mydomain.tld? Create a regex that checks for a match or (better) use Zend_Validate_Hostname:
$validator = new Zend_Validate_Hostname();
if ($validator->isValid($hostname)) {
//hostname is valid - continue
}
Whitelisting: Do you know which domainnames to expect? You could create a list of allowed domains and check against them. Drop the rest.
Blacklisting domainnames and or characters: If you expect a domain name, there's no need to accept any other characters than a-z and 0-9 and "." (unless you're working with special domain names).
The event observer system of Magento does not have its own mechanism to stop processing whatever happens after the event. So most of the time the only solution is to throw an exception and hope that it will be catched appropiately.
Depending on the code where the event is dispatched, this can yield different outcomes:
the exception gets caught and logged (or silently swallowed) and a generic error message is shown to the user
the exception gets caught and its message is shown to the user
the exception is not caught and the user sees the dreaded "There was an error processing your request" or a plain "Internal Server Error" page.
Best Answer
First of all: These were blind attacks that most likely did not have any effect, a successful SQL injection should not be possible with these search queries.
But it's still bad for two reasons:
the sheer number of these requests could take too many resources if they come in short time. As Anna Völk suggested in the comments, check your access logs if they come from certain IP ranges and block these IPs as soon as the requests start coming in.
other users will receive these searches as suggestions because they actually returned results. This is due to Magentos default
LIKE
search algorithm where you get all results where at least one word matches. Changing this fromOR
toAND
improves the search results and makes searches like these return nothing, so that they won't show up as suggestions anymore.See also:
Search Type: Like, Full Text or Combined?