[wp-hackers] E-mail address and SQL injection
computerguru at neosmart.net
Sat Oct 20 15:13:53 GMT 2007
It shouldn't be a problem in the current code which escapes all content before accessing the DB.
However, the whole point of that field is for a valid email address - so regardless of security implications or not, something that can't possibly be an email address shouldn't be accepted in the first place, IMHO....
That's what the regex proposed in that ticket <http://iamcal.com/publish/articles/php/parsing_email/> is for.
> -----Original Message-----
> From: wp-hackers-bounces at lists.automattic.com [mailto:wp-hackers-
> bounces at lists.automattic.com] On Behalf Of Bob
> Sent: Saturday, October 20, 2007 4:29 PM
> To: wp-hackers
> Subject: [wp-hackers] E-mail address and SQL injection
> WordPress is overly-restrictive on the e-mail addresses that it will
> Ticket #4616 proposes that all valid e-mail addresses should be
> I'm concerned that one form of e-mail addresses may be a security
> Specifically, the following is a valid e-mail address:
> "Put anything you want here"@example.com
> The quoted string before the @ can contain any characters, including
> and other characters not otherwise accepted in an e-mail address. My
> concern is that SQL commands could be placed in the string to perform
> an SQL
> injection attack.
> Does anyone know if this is a possibility? As part of #4616, I'm
> tempted to
> prohibit the above form of e-mail addresses unless someone knows for
> that it's safe. (Note that those addresses are currently rejected.)
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
More information about the wp-hackers