views:

96

answers:

2

Since there are so many valid characters for email addresses, are there any valid email addresses that can in themselves be XSS attacks or SQL injections? I couldn't find any information on this on the web.

The local-part of the e-mail address may use any of these ASCII characters:

  • Uppercase and lowercase English letters (a–z, A–Z)
  • Digits 0 to 9
  • Characters ! # $ % & ' * + - / = ? ^ _ ` { | } ~
  • Character . (dot, period, full stop) provided that it is not the last character, and provided also that it does not appear two or more times consecutively (e.g. [email protected]).

http://en.wikipedia.org/wiki/E-mail_address#RFC_specification

I'm not asking how to prevent these attacks (I'm already using parametrized queries and escaping/HTML purifier), this is more a proof-of-concept.

The first thing that came to mind was 'OR [email protected], except that spaces are not allowed. Do all SQL injections require spaces?

A: 
/^[a-z0-9.-_+]@[a-z0-9.-]$/i

i think that matches like 99.9999% of all emails addresses ;)

Tobias
btw. thats only to verify if the text is not packed with xss/sql injections etc. - its not a way to validate an email address.
Tobias
+4  A: 

Spaces are allowed if they are enclosed in quotes, however, so "'OR 1=1--"@gmail.com is a valid e-mail address. Also, it's probably less of a concern, but technically speaking, these are both valid e-mail addresses:

' BAD SQL STUFF -- <[email protected]>
[email protected] (' BAD SQL STUFF --)

Even if this wasn't possible, there's still no reason that you shouldn't be using paramaterized queries and encoding all user-inputted data displayed to users.

Ryan Brunner