On 21/06/15 20:14, Mark Murphy wrote: > But what does your application do when it gets an invalid SQL statement? > Maybe it is telling the attacker something important about your database so > that they can compromise it with the appropriate injection. It just defaults to the first news article in this case ... and counts it as another hit on that article. We have never allowed free text SQL to be included in any query, and any variable passed via the URL to provide navigation is only ever passed as a parameter, so even if there was no filtering of the parameter it would just fail. I'd only expect a continued 'attack' if the URL was returning something useful so to carry on just did not make sense ... -- Lester Caine - G8HFL ----------------------------- Contact - http://lsces.co.uk/wiki/?page=contact L.S.Caine Electronic Services - http://lsces.co.uk EnquirySolve - http://enquirysolve.com/ Model Engineers Digital Workshop - http://medw.co.uk Rainbow Digital Media - http://rainbowdigitalmedia.co.uk -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php