I'm working with a site that I did not create. It appears I'm dealing with a DDoS and/or SQL injection attack that involves querying the database through a URL string. I'm currently looking into the method of "adding slashes" to the query which I'm told would help is the attack if form-based:
http://php.net/manual/en/function.addslashes.php
If that doesn't work, I was curious if there was a way to simply limit how often queries can be performed per session, per IP or any other variable that might at least slow the attack. Thank you in advance.
Yes, you can limit the usage per user per hour in MySQL:
http://dev.mysql.com/doc/refman/5.6/en/user-resources.html
However, most web apps use a single MySQL username for all application users. So this might just serve to throttle your whole website.
The addslashes function is not the right solution for preventing SQL injection. Every MySQL API includes a more appropriate escaping function, for example mysqli_real_escape_string() or PDO::quote().
But even better is to use prepared statements with query parameters instead of escaping and concatenating variables into SQL query strings.
Examples are easy to find if you examine other questions with the sql-injection tag. One of the best answers is in How can I prevent SQL injection in PHP?
I wrote a popular presentation about this: SQL Injection Myths and Fallacies.