I noticed today that a specific user decided to create an account and spam the search on one of our websites. Also with this we've witnessed a performance hit today as well, but I don't know if it is related. Is there a recommended way that I can prevent this from happening? The spam attack in question is below. Thank you!
Everything between a [ and ] are just variables that I entered.
https://www.[my domain].com/search?q=-1%27or%2f**%2f1%3d1%2f**%2fand%2f**%2fisnull(ascii(substring(cast((select%20%20table_name%20from%20information_schema.tables%20where%20table_catalog%3d%27[database name]%27%20order%20by%20table_name%20offset%2038%20rows%20fetch%20next%201%20row%20only)as%2f**%2fvarchar(8000))%2c29%2c1))%2c0)%3e78--