J-BusinessDirectory - SQL Injection attack

Hi,

Today we have had an SQL Injection attempt on my site via the J-Business Directory. 

I was getting 1000's of emails for "You have received a response for the review posted for the company". 

I had to disable emails in Joomla to try and stop the emails from sending.

When I had a look in my Nginx access.log files I saw the following:

193.57.40.55 - - [11/Feb/2022:13:40:19 +0000] "GET /things-to-do/places-to-go/days-out-1/national-trust-3?firstName=%28SELECT%20CONCAT%280x71706b6b71%2C%28SELECT%20%28ELT%289033%3D9033%2C1%29%29%29%2C0x717a787071%29%29&lastName=1&email=1&review-response-terms-conditions=1&option=com_jbusinessdirectory&task=companies.saveReview Response&view=companies&reviewId=1&companyId=4746 HTTP/1.1" 303 5 "-" "Opera/9.00 (Windows NT 6.0; U; en)"

Can you please confirm if the J-Business directory code stops an SQL Injection?

Thanks

There is a security filter in place that escapes all parameters that are being accepted.
This is more like a spam attack. You can activate captcha in JBD to avoid this.

Also,

Akeeba Site Tools and your hosting provider have settings for spam attacks, SQLiShield protection, and more.

   - See Here: Admin Tools for Joomla! - Akeeba Ltd

Thanks for your help on this. 

Instead of installing Akeeba Site Tools, I have installed the Web Application Firewall, NAXSI as a Nginx Module. Hopefully this will block this type of spam attack!

You can have both..