tags:

views:

96

answers:

2
+3  Q: 

Valid Email Addresses - XSS and SQL Injection

Since there are so many valid characters for email addresses, are there any valid email addresses that can in themselves be XSS attacks or SQL injections? I couldn't find any information on this on the web.

The local-part of the e-mail address may use any of these ASCII characters:

  • Uppercase and lowercase English letters (a–z, A–Z)
  • Digits 0 to 9
  • Characters ! # $ % & ' * + - / = ? ^ _ ` { | } ~
  • Character . (dot, period, full stop) provided that it is not the last character, and provided also that it does not appear two or more times consecutively (e.g. [email protected]).

http://en.wikipedia.org/wiki/E-mail_address#RFC_specification

I'm not asking how to prevent these attacks (I'm already using parametrized queries and escaping/HTML purifier), this is more a proof-of-concept.

The first thing that came to mind was 'OR [email protected], except that spaces are not allowed. Do all SQL injections require spaces?

A:  
/^[a-z0-9.-_+]@[a-z0-9.-]$/i

i think that matches like 99.9999% of all emails addresses ;)

Tobias  2010-05-27 18:28:26
btw. thats only to verify if the text is not packed with xss/sql injections etc. - its not a way to validate an email address.
Tobias  2010-05-27 18:29:18
+4  A: 

Spaces are allowed if they are enclosed in quotes, however, so "'OR 1=1--"@gmail.com is a valid e-mail address. Also, it's probably less of a concern, but technically speaking, these are both valid e-mail addresses:

' BAD SQL STUFF -- <[email protected]>
[email protected] (' BAD SQL STUFF --)

Even if this wasn't possible, there's still no reason that you shouldn't be using paramaterized queries and encoding all user-inputted data displayed to users.

Ryan Brunner  2010-05-27 18:32:53

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases