SQL injection POST attacks

Just found hundreds of POST requests to user registration pages on Drupal site. No users are being registered but these requests are still getting 200 status from Drupal.

Are these requests doing any damage? Any preventive measures I can undertake other than blocking them through Firewall.

Post Data/Request Body:

"{\x22name\x22: \x22oXfxOznTkE\x22, \x22mail\x22: \[email protected]\x22, \x22form_build_id\x22: \x22form-FiEoO2JUzWA2PQIq0ryxRHqddnXXtEn0xoV6k4xvhrk\x22, \x22form_id\x22: \x22user_register_form\x22, \x22email\x22: \[email protected]\x22}"

Complete Request:

     213.155.160.239 - - [14/Apr/2023:03:27:02 +0000] "POST /user/register HTTP/1.1" 200 7167 "-" 
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36"
     "-" "{\x22name\x22: \x22oXfxOznTkE\x22, \x22mail\x22: \[email protected]\x22, \x22form_build_id\x22: \x22form-FiEoO2JUzWA2PQIq0ryxRHqddnXXtEn0xoV6k4xvhrk\x22, \x22form_id\x22: \x22user_register_form\x22,
 \x22email\x22: \[email protected]\x22}"

They do not do any damage because Drupal core sanitizes user input when querying the database.

How that is done from a programmer perspective is explained in Writing secure code for Drupal / Use the database abstraction layer to avoid SQL injection attacks, where it is explained to never concatenate data directly into SQL queries, but use placeholders, as in the example code shown in that page.

\Database::getConnection()->query('SELECT foo FROM {table} t WHERE t.name = :name', [':name' => $_GET['user']]);

Using code similar to the following, the site could be subject to SQL injection.

\Database::getConnection()->query('SELECT foo FROM {table} t WHERE t.name = '. $_GET['user']);

If $_GET['user'] contains "" or "1" = "1", the resulting query would return any row in that table; if then the data would be shown on a page, the user would see all the table content.