[wp-hackers] E-mail address and SQL injection

Bob wp-hackers at nj-arp.org
Sat Oct 20 15:20:17 GMT 2007


No, I think you misunderstood my post.  The following IS a VALID e-mail 
address and will be accepted by the referenced e-mail validation:

  "Some bad SQL code here"@example.com

If we allow the above VALID e-mail address, is it possible to include 
malicious SQL code?  I don't know enough about SQL to know if escaping all 
content before accessing the DB will work in this case.

Bob


----- Original Message ----- 
From: "Computer Guru" <computerguru at neosmart.net>
To: <wp-hackers at lists.automattic.com>
Sent: Saturday, October 20, 2007 11:13 AM
Subject: RE: [wp-hackers] E-mail address and SQL injection


It shouldn't be a problem in the current code which escapes all content 
before accessing the DB.

However, the whole point of that field is for a valid email address - so 
regardless of security implications or not, something that can't possibly be 
an email address shouldn't be accepted in the first place, IMHO....

That's what the regex proposed in that ticket 
<http://iamcal.com/publish/articles/php/parsing_email/> is for.

Computer Guru
NeoSmart Technologies
http://neosmart.net/

> -----Original Message-----
> From: wp-hackers-bounces at lists.automattic.com [mailto:wp-hackers-
> bounces at lists.automattic.com] On Behalf Of Bob
> Sent: Saturday, October 20, 2007 4:29 PM
> To: wp-hackers
> Subject: [wp-hackers] E-mail address and SQL injection
>
> WordPress is overly-restrictive on the e-mail addresses that it will
> accept.
> Ticket #4616 proposes that all valid e-mail addresses should be
> accepted.
> I'm concerned that one form of e-mail addresses may be a security
> problem.
>
> Specifically, the following is a valid e-mail address:
>
>   "Put anything you want here"@example.com
>
> The quoted string before the @ can contain any characters, including
> spaces
> and other characters not otherwise accepted in an e-mail address.  My
> concern is that SQL commands could be placed in the string to perform
> an SQL
> injection attack.
>
> Does anyone know if this is a possibility?  As part of #4616, I'm
> tempted to
> prohibit the above form of e-mail addresses unless someone knows for
> certain
> that it's safe.  (Note that those addresses are currently rejected.)
>
> Bob
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

_______________________________________________
wp-hackers mailing list
wp-hackers at lists.automattic.com
http://lists.automattic.com/mailman/listinfo/wp-hackers 



More information about the wp-hackers mailing list