The following user-agent should be blacklisted due to SQL injection probing and occasional injection attempts:
Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+pt-PT;+rv:1.9.1.2)+Gecko/20090729+Firefox/3.5.2+(.NET+CLR+3.5.30729)
A common signature is uri queries with the string A=0 or 0=A.
It has been tracked from 448 unique IP addresses over the last 7 days for a total of 5384 requests.
Given that this user string is significantly outdated, there should be little concern with dropping legitimate traffic.
Some example injection strings:
0'(%2f**%2fsElEcT+1+%2f**%2ffRoM(%2f**%2fsElEcT+count(*),%2f**%2fcOnCaT((%2f**%2fsElEcT(%2f**%2fsElEcT+%2f**%2fuNhEx(%2f**%2fhEx(%2f**%2fcOnCaT(char(33,126,33),0x4142433134355a5136324457514146504f4959434644,char(33,126,33)))))+%2f**%2ffRoM+information_schema.%2f**%2ftAbLeS+%2f**%2flImIt+0,1),floor(rand(0)*2))x+%2f**%2ffRoM+information_schema.%2f**%2ftAbLeS+%2f**%2fgRoUp%2f**%2fbY+x)a)+
(SeLeCt+1+FrOm(SeLeCt+count(*),CoNcAt((SeLeCt(SeLeCt+UnHeX(HeX(CoNcAt(char(33,126,33),0x4142433134355a5136324457514146504f4959434644,char(33,126,33)))))+FrOm+information_schema.TaBlEs+LiMiT+0,1),floor(rand(0)*2))x+FrOm+information_schema.TaBlEs+GrOuP+By+x)a)+and+1=1
Recently seen IP addresses (click read more for list):