A repeat visitor to my site keeps manipulating query strings. For example a valid page address would look like:
myPage.php?subject=3
This visitor has visited several times and keeps entering the following addresses:
myPage.php?subject=3%26%26SlEEp%283%29
myPage.php?subject=3%20AND%201=1
myPage.php?subject=3%20and%201%3E1
myPage.php?subject=3%20and%201%3D1
myPage.php?subject=32121121121212.1
I've tried blocking their ip, but they just return with a different one, although (so far) they've only used French ip addresses. On their latest visit, their HTTP_USER_AGENT was undefined, but in the past has held these values:
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; elertz 2.4.179[128]; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; dial; E-nrgyPlus; .NET CLR 1.1.4322; InfoPath.1)
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36
Opera/9.27
I'm currently tracking all open sessions on the site. Would it be an effective and reasonable tactic to also track query failures and end any session that exceeds a specified amount of failures? If so what is a reasonable number of failures? Should I also end all sessions with an undefined user agent?
There is a similarly titled question here How should I detect and respond to bad actors who perform SQL injections?, but it seems specific to "Microsoft Azure".