[wp-hackers] E-mail address and SQL injection

Bob wp-hackers at nj-arp.org
Sat Oct 20 15:42:01 GMT 2007


wp-mail.php takes the From address in the e-mail headers and does the 
following:

$wpdb->get_row("SELECT ID FROM $wpdb->users WHERE user_email='$author' LIMIT 
1");

So this will be safe no matter what $author contains?

Sorry if the answer should be obvious, as I said, I'm not an SQL weenie.

Bob


----- Original Message ----- 
From: "Computer Guru" <computerguru at neosmart.net>
To: <wp-hackers at lists.automattic.com>
Sent: Saturday, October 20, 2007 11:30 AM
Subject: RE: [wp-hackers] E-mail address and SQL injection


It should still work :)
It'll be just another nasty being POST'd to some location and prep'd for db 
storage.

Computer Guru
NeoSmart Technologies
http://neosmart.net/


> -----Original Message-----
> From: wp-hackers-bounces at lists.automattic.com [mailto:wp-hackers-
> bounces at lists.automattic.com] On Behalf Of Bob
> Sent: Saturday, October 20, 2007 6:20 PM
> To: wp-hackers at lists.automattic.com
> Subject: Re: [wp-hackers] E-mail address and SQL injection
>
> No, I think you misunderstood my post.  The following IS a VALID e-mail
> address and will be accepted by the referenced e-mail validation:
>
>   "Some bad SQL code here"@example.com
>
> If we allow the above VALID e-mail address, is it possible to include
> malicious SQL code?  I don't know enough about SQL to know if escaping
> all
> content before accessing the DB will work in this case.
>
> Bob
>
>
> ----- Original Message -----
> From: "Computer Guru" <computerguru at neosmart.net>
> To: <wp-hackers at lists.automattic.com>
> Sent: Saturday, October 20, 2007 11:13 AM
> Subject: RE: [wp-hackers] E-mail address and SQL injection
>
>
> It shouldn't be a problem in the current code which escapes all content
> before accessing the DB.
>
> However, the whole point of that field is for a valid email address -
> so
> regardless of security implications or not, something that can't
> possibly be
> an email address shouldn't be accepted in the first place, IMHO....
>
> That's what the regex proposed in that ticket
> <http://iamcal.com/publish/articles/php/parsing_email/> is for.
>
> Computer Guru
> NeoSmart Technologies
> http://neosmart.net/
>
> > -----Original Message-----
> > From: wp-hackers-bounces at lists.automattic.com [mailto:wp-hackers-
> > bounces at lists.automattic.com] On Behalf Of Bob
> > Sent: Saturday, October 20, 2007 4:29 PM
> > To: wp-hackers
> > Subject: [wp-hackers] E-mail address and SQL injection
> >
> > WordPress is overly-restrictive on the e-mail addresses that it will
> > accept.
> > Ticket #4616 proposes that all valid e-mail addresses should be
> > accepted.
> > I'm concerned that one form of e-mail addresses may be a security
> > problem.
> >
> > Specifically, the following is a valid e-mail address:
> >
> >   "Put anything you want here"@example.com
> >
> > The quoted string before the @ can contain any characters, including
> > spaces
> > and other characters not otherwise accepted in an e-mail address.  My
> > concern is that SQL commands could be placed in the string to perform
> > an SQL
> > injection attack.
> >
> > Does anyone know if this is a possibility?  As part of #4616, I'm
> > tempted to
> > prohibit the above form of e-mail addresses unless someone knows for
> > certain
> > that it's safe.  (Note that those addresses are currently rejected.)
> >
> > Bob
> >
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers at lists.automattic.com
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

_______________________________________________
wp-hackers mailing list
wp-hackers at lists.automattic.com
http://lists.automattic.com/mailman/listinfo/wp-hackers 



More information about the wp-hackers mailing list