Title: SQL Injection Attempt and Security Last modified: April 6, 2023 --- # SQL Injection Attempt and Security * Resolved [openedge1](https://wordpress.org/support/users/openedge1/) * (@openedge1) * [3 years, 2 months ago](https://wordpress.org/support/topic/sql-injection-attempt-and-security/) * So, yesterday, we had a site that uses your GetPaid addon, and we had a drive by SQL injection attempt. From what we can see, the addon creates invoices whether the attempt to pay is successful or not. With no captcha on your plugin, what other options are open to us to secure these forms better. * Right now, the plugin feels unusable if drive by attacks can destroy our mail rep (due to a multitude of emails about new invoices after the attack), and mass fill invoices creating an insecure environment of junk code. * Thoughts? Viewing 6 replies - 1 through 6 (of 6 total) * Plugin Author [Stiofan](https://wordpress.org/support/users/stiofansisland/) * (@stiofansisland) * [3 years, 2 months ago](https://wordpress.org/support/topic/sql-injection-attempt-and-security/#post-16632988) * Hi [@openedge1](https://wordpress.org/support/users/openedge1/), * That is not what SQL injection is 🙂 * Yes, our system will create invoices even if the payment is not complete, this can also give the user the opertunity to complete is later via the email the recive. * You can turn off the new user email and you can also set checkout to require login in Settings > Misc > **Checkout Settings**. * We have never really had any report of checkout spamming like you mention, if you can give more details, such as: was it multiple email addresses or the same email, hoe many were created, how fast were they created? If we need to add a captcha we will but it has not been an issue to this point. * If i can help further please let me know. * Thanks, * Stiofan * Thread Starter [openedge1](https://wordpress.org/support/users/openedge1/) * (@openedge1) * [3 years, 2 months ago](https://wordpress.org/support/topic/sql-injection-attempt-and-security/#post-16633047) * Hello, * It was an SQL Injection attempt. We have the invoices showing the code for the inject…so, yes, it was an SQL injection attempt. They slammed the payment page over and over with code to attempt to break the site, DDoS style. This of course generated emails for each attempt. * The attempt was done in the wee hours of the morning for us. We were notified of the issue via a mass mailing alert. The website was sending tons of emails due to the attempt. All invoices show SQL code in the payment amount field. * We debated about the “sign up to checkout”, but with the type of websites, this is not feasible. The website owner needs to allow their customers to make quick payments. * Thus, yes, a Captcha, which GiveWP has, would be very helpful in this respect. * I can open a support ticket on your site if you need more info. * Plugin Author [Stiofan](https://wordpress.org/support/users/stiofansisland/) * (@stiofansisland) * [3 years, 2 months ago](https://wordpress.org/support/topic/sql-injection-attempt-and-security/#post-16633187) * Ah ok, i understand now. This sounds like a bot of some sort. We have internally tested all our checkout fields for SQL injection and also had a 3rd party audit done, so there should not be an issue there. It just looks like a bot was trying its luck with any input fields. Once they realise nothing works they will probably move on. * I have set a task for addng a recaptcha. If you want to open a ticket please title it “FAO Stiofan” and someone will assign it to me, i can then add any further details to the task. * Thanks, * Stiofan * Thread Starter [openedge1](https://wordpress.org/support/users/openedge1/) * (@openedge1) * [3 years, 2 months ago](https://wordpress.org/support/topic/sql-injection-attempt-and-security/#post-16633304) * OK. And yes, this is exactly what happened. The “bot” was able to continually slam the sites payment form to attempt to inject code. It basically creates a mess, with tons of empty invoices and junk code (for example: why does the form allow code as the payment amount without any system checks to verify the price is a real number?), mass emails and a ton of junk in the database . * Some method to check for a human is really needed. * As long as you are working on some form of captcha, I do not need to open a ticket… but, a captcha is really needed from what I can see. * Plugin Author [Stiofan](https://wordpress.org/support/users/stiofansisland/) * (@stiofansisland) * [3 years, 2 months ago](https://wordpress.org/support/topic/sql-injection-attempt-and-security/#post-16633344) * No problem, i have added the task, it will probably be worked on early next week. In regards to the price, we escape it in other ways but not as a number because some currencies have decimals and commas in wierd places that does not fit into the standard numerical escape functions. * As i mentioned, its the first report of this type of thing, i will try and report back here once released. * Thanks, * Stiofan * Plugin Author [Stiofan](https://wordpress.org/support/users/stiofansisland/) * (@stiofansisland) * [3 years, 1 month ago](https://wordpress.org/support/topic/sql-injection-attempt-and-security/#post-16661576) * This has been added and will be released at some point this week. * Thanks, * Stiofan Viewing 6 replies - 1 through 6 (of 6 total) The topic ‘SQL Injection Attempt and Security’ is closed to new replies. * ![](https://ps.w.org/invoicing/assets/icon-256x256.png?rev=2729282) * [Payment forms, Buy now buttons, and Invoicing System | GetPaid](https://wordpress.org/plugins/invoicing/) * [Frequently Asked Questions](https://wordpress.org/plugins/invoicing/#faq) * [Support Threads](https://wordpress.org/support/plugin/invoicing/) * [Active Topics](https://wordpress.org/support/plugin/invoicing/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/invoicing/unresolved/) * [Reviews](https://wordpress.org/support/plugin/invoicing/reviews/) * 6 replies * 2 participants * Last reply from: [Stiofan](https://wordpress.org/support/users/stiofansisland/) * Last activity: [3 years, 1 month ago](https://wordpress.org/support/topic/sql-injection-attempt-and-security/#post-16661576) * Status: resolved