Add to cart SQL injection

First, I’d ask who are you hosting with? That plays a huge, huge part in this. Changing the URL or editing it will not impact this as the attackers will only learn the new URL in minutes.

• This reply was modified 5 years, 6 months ago by Stef.

Hi @kleindberg,

Sorry to hear that you site has been attacked. I can only imagine how frustrating it must be!

When processing GET requests, WooCommerce automatically rejects any add to cart parameter that is not a number. You can find the code behind it in the includes/class-wc-form-handler.php file:

https://github.com/woocommerce/woocommerce/blob/3.6.4/includes/class-wc-form-handler.php#L727:L729

This means that the SQL injection code isn’t going to do any harm, as all such requests are going to be rejected. The particular code you’ve included in your message is a vulnerability test used by hacker bots to find out which sites will be a good game for an attack in the future:

https://stackoverflow.com/questions/17439121/sql-injection-char45-120-49-45-81-45

If your site has been taken down by a DDOS attack composed of such requests, the main problem is likely the volume rather than the content of any particular one. As @serafinnyc mentioned, the capability to withstand a large volume of requests depends mostly on the hosting. You may also consider setting up a CDN service such as Cloudflare that will serve your website files from multiple servers around the world and in result decrease the risk that some of them won’t be able to handle the number of requests.

Cheers!

Thanks everyone for consultation.