Found 'OR 1=1/* sql injection in my newsletter database

Question

I found the following in the \"e-mail\" field of my newsletter subscriber database: \' OR 1=1/*

I know it\'s a SQL injection, but that\'s it. I\'ve goog

Answer 1

The specific value in your database isn't what you should be focusing on. This is likely the result of an attacker fuzzing your system to see if it is vulnerable to a set of standard attacks, instead of a targeted attack exploiting a known vulnerability.

You should instead focus on ensuring that your application is secure against these types of attacks; OWASP is a good resource for this.

If you're using parameterized queries to access the database, then you're secure against Sql injection, unless you're using dynamic Sql in the backend as well.

If you're not doing this, you're vulnerable and you should resolve this immediately.

Also, you should consider performing some sort of validation of e-mail addresses.