[wp-hackers] E-mail address and SQL injection

Abel Cheung abelcheung at gmail.com
Wed Oct 24 20:08:07 GMT 2007


On 10/21/07, Rindisbacher Flurin <flurischt at gmail.com> wrote:
> > $wpdb->get_row("SELECT ID FROM $wpdb->users WHERE user_email='$author'
> > LIMIT 1");
> >
> > So this will be safe no matter what $author contains?
>
> This will be safe because in the line above $author is escaped.
> ($wpdb->escape())

Yes, safe if charset is iso-8859-1, ascii, utf-8 or other non-multibyte charset.
For multibyte charsets accepting backslash and single quote as the second
byte, it is quite possible to perform SQL injection as escape() solely relies
on add_slashes() but not mysql_real_escape_string(), so inserting a character
where second byte is single quote may do it.

But I haven't done any real testing yet. Bob, you can try.

Abel


>
> Example:
>
> $author = " '; BAD SQL CODE; --";
> after escape() the ' will be \' and so on.
>
> Flurin
>
> Sorry if the answer should be obvious, as I said, I'm not an SQL weenie.
> >
> > Bob
> >
> >
> > ----- Original Message -----
> > From: "Computer Guru" <computerguru at neosmart.net>
> > To: <wp-hackers at lists.automattic.com>
> > Sent: Saturday, October 20, 2007 11:30 AM
> > Subject: RE: [wp-hackers] E-mail address and SQL injection
> >
> >
> > It should still work :)
> > It'll be just another nasty being POST'd to some location and prep'd for
> > db
> > storage.
> >
> > Computer Guru
> > NeoSmart Technologies
> > http://neosmart.net/
> >
> >
> > > -----Original Message-----
> > > From: wp-hackers-bounces at lists.automattic.com [mailto:wp-hackers-
> > > bounces at lists.automattic.com] On Behalf Of Bob
> > > Sent: Saturday, October 20, 2007 6:20 PM
> > > To: wp-hackers at lists.automattic.com
> > > Subject: Re: [wp-hackers] E-mail address and SQL injection
> > >
> > > No, I think you misunderstood my post.  The following IS a VALID e-mail
> > > address and will be accepted by the referenced e-mail validation:
> > >
> > >   "Some bad SQL code here"@example.com
> > >
> > > If we allow the above VALID e-mail address, is it possible to include
> > > malicious SQL code?  I don't know enough about SQL to know if escaping
> > > all
> > > content before accessing the DB will work in this case.
> > >
> > > Bob
> > >
> > >
> > > ----- Original Message -----
> > > From: "Computer Guru" <computerguru at neosmart.net>
> > > To: <wp-hackers at lists.automattic.com>
> > > Sent: Saturday, October 20, 2007 11:13 AM
> > > Subject: RE: [wp-hackers] E-mail address and SQL injection
> > >
> > >
> > > It shouldn't be a problem in the current code which escapes all content
> > > before accessing the DB.
> > >
> > > However, the whole point of that field is for a valid email address -
> > > so
> > > regardless of security implications or not, something that can't
> > > possibly be
> > > an email address shouldn't be accepted in the first place, IMHO....
> > >
> > > That's what the regex proposed in that ticket
> > > <http://iamcal.com/publish/articles/php/parsing_email/> is for.
> > >
> > > Computer Guru
> > > NeoSmart Technologies
> > > http://neosmart.net/
> > >
> > > > -----Original Message-----
> > > > From: wp-hackers-bounces at lists.automattic.com [mailto:wp-hackers-
> > > > bounces at lists.automattic.com] On Behalf Of Bob
> > > > Sent: Saturday, October 20, 2007 4:29 PM
> > > > To: wp-hackers
> > > > Subject: [wp-hackers] E-mail address and SQL injection
> > > >
> > > > WordPress is overly-restrictive on the e-mail addresses that it will
> > > > accept.
> > > > Ticket #4616 proposes that all valid e-mail addresses should be
> > > > accepted.
> > > > I'm concerned that one form of e-mail addresses may be a security
> > > > problem.
> > > >
> > > > Specifically, the following is a valid e-mail address:
> > > >
> > > >   "Put anything you want here"@example.com
> > > >
> > > > The quoted string before the @ can contain any characters, including
> > > > spaces
> > > > and other characters not otherwise accepted in an e-mail address.  My
> > > > concern is that SQL commands could be placed in the string to perform
> > > > an SQL
> > > > injection attack.
> > > >
> > > > Does anyone know if this is a possibility?  As part of #4616, I'm
> > > > tempted to
> > > > prohibit the above form of e-mail addresses unless someone knows for
> > > > certain
> > > > that it's safe.  (Note that those addresses are currently rejected.)
> > > >
> > > > Bob
> > > >
> > > > _______________________________________________
> > > > wp-hackers mailing list
> > > > wp-hackers at lists.automattic.com
> > > > http://lists.automattic.com/mailman/listinfo/wp-hackers
> > >
> > > _______________________________________________
> > > wp-hackers mailing list
> > > wp-hackers at lists.automattic.com
> > > http://lists.automattic.com/mailman/listinfo/wp-hackers
> > >
> > > _______________________________________________
> > > wp-hackers mailing list
> > > wp-hackers at lists.automattic.com
> > > http://lists.automattic.com/mailman/listinfo/wp-hackers
> >
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers at lists.automattic.com
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
> >
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers at lists.automattic.com
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
> >
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


-- 
Abel Cheung   (GPG Key: 0xC67186FF)
Key fingerprint: 671C C7AE EFB5 110C D6D1  41EE 4152 E1F1 C671 86FF
--------------------------------------------------------------------
* My own cave: http://me.abelcheung.org/
* Opensource Application Knowledge Assoc. - http://oaka.org/


More information about the wp-hackers mailing list