[wp-hackers] E-mail address and SQL injection
Rob Miller
r at robm.me.uk
Sun Oct 21 06:37:51 GMT 2007
Bob wrote:
> No, I think you misunderstood my post. The following IS a VALID
> e-mail address and will be accepted by the referenced e-mail validation:
>
> "Some bad SQL code here"@example.com
>
> If we allow the above VALID e-mail address, is it possible to include
> malicious SQL code? I don't know enough about SQL to know if escaping
> all content before accessing the DB will work in this case.
>
> Bob
>
Nope, it's fine. It's the same as posts; you can use all manner of
special characters and SQL statements in a post, but because the content
is escaped before being used in a DB query there's no way they'll affect
anything.
--
Rob Miller
http://robm.me.uk/
More information about the wp-hackers
mailing list