[wp-hackers] E-mail address and SQL injection

Computer Guru computerguru at neosmart.net
Sat Oct 20 15:13:53 GMT 2007


It shouldn't be a problem in the current code which escapes all content before accessing the DB.

However, the whole point of that field is for a valid email address - so regardless of security implications or not, something that can't possibly be an email address shouldn't be accepted in the first place, IMHO.... 

That's what the regex proposed in that ticket <http://iamcal.com/publish/articles/php/parsing_email/> is for.

Computer Guru
NeoSmart Technologies
http://neosmart.net/

> -----Original Message-----
> From: wp-hackers-bounces at lists.automattic.com [mailto:wp-hackers-
> bounces at lists.automattic.com] On Behalf Of Bob
> Sent: Saturday, October 20, 2007 4:29 PM
> To: wp-hackers
> Subject: [wp-hackers] E-mail address and SQL injection
> 
> WordPress is overly-restrictive on the e-mail addresses that it will
> accept.
> Ticket #4616 proposes that all valid e-mail addresses should be
> accepted.
> I'm concerned that one form of e-mail addresses may be a security
> problem.
> 
> Specifically, the following is a valid e-mail address:
> 
>   "Put anything you want here"@example.com
> 
> The quoted string before the @ can contain any characters, including
> spaces
> and other characters not otherwise accepted in an e-mail address.  My
> concern is that SQL commands could be placed in the string to perform
> an SQL
> injection attack.
> 
> Does anyone know if this is a possibility?  As part of #4616, I'm
> tempted to
> prohibit the above form of e-mail addresses unless someone knows for
> certain
> that it's safe.  (Note that those addresses are currently rejected.)
> 
> Bob
> 
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers



More information about the wp-hackers mailing list