[wp-hackers] E-mail address and SQL injection

Bob wp-hackers at nj-arp.org
Sat Oct 20 13:29:26 GMT 2007

WordPress is overly-restrictive on the e-mail addresses that it will accept.
Ticket #4616 proposes that all valid e-mail addresses should be accepted.
I'm concerned that one form of e-mail addresses may be a security problem.

Specifically, the following is a valid e-mail address:

  "Put anything you want here"@example.com

The quoted string before the @ can contain any characters, including spaces
and other characters not otherwise accepted in an e-mail address.  My
concern is that SQL commands could be placed in the string to perform an SQL
injection attack.

Does anyone know if this is a possibility?  As part of #4616, I'm tempted to
prohibit the above form of e-mail addresses unless someone knows for certain
that it's safe.  (Note that those addresses are currently rejected.)


More information about the wp-hackers mailing list