[wp-hackers] E-mail address and SQL injection
Bob
wp-hackers at nj-arp.org
Sat Oct 20 13:29:26 GMT 2007
WordPress is overly-restrictive on the e-mail addresses that it will accept.
Ticket #4616 proposes that all valid e-mail addresses should be accepted.
I'm concerned that one form of e-mail addresses may be a security problem.
Specifically, the following is a valid e-mail address:
"Put anything you want here"@example.com
The quoted string before the @ can contain any characters, including spaces
and other characters not otherwise accepted in an e-mail address. My
concern is that SQL commands could be placed in the string to perform an SQL
injection attack.
Does anyone know if this is a possibility? As part of #4616, I'm tempted to
prohibit the above form of e-mail addresses unless someone knows for certain
that it's safe. (Note that those addresses are currently rejected.)
Bob
More information about the wp-hackers
mailing list