[wp-hackers] E-mail address and SQL injection

Rindisbacher Flurin flurischt at gmail.com
Sat Oct 20 16:31:32 GMT 2007


On 10/20/07, Bob <wp-hackers at nj-arp.org> wrote:
>
> wp-mail.php takes the From address in the e-mail headers and does the
> following:
>
> $wpdb->get_row("SELECT ID FROM $wpdb->users WHERE user_email='$author'
> LIMIT
> 1");
>
> So this will be safe no matter what $author contains?


This will be safe because in the line above $author is escaped.
($wpdb->escape())

Example:

$author = " '; BAD SQL CODE; --";
after escape() the ' will be \' and so on.

Flurin

Sorry if the answer should be obvious, as I said, I'm not an SQL weenie.
>
> Bob
>
>
> ----- Original Message -----
> From: "Computer Guru" <computerguru at neosmart.net>
> To: <wp-hackers at lists.automattic.com>
> Sent: Saturday, October 20, 2007 11:30 AM
> Subject: RE: [wp-hackers] E-mail address and SQL injection
>
>
> It should still work :)
> It'll be just another nasty being POST'd to some location and prep'd for
> db
> storage.
>
> Computer Guru
> NeoSmart Technologies
> http://neosmart.net/
>
>
> > -----Original Message-----
> > From: wp-hackers-bounces at lists.automattic.com [mailto:wp-hackers-
> > bounces at lists.automattic.com] On Behalf Of Bob
> > Sent: Saturday, October 20, 2007 6:20 PM
> > To: wp-hackers at lists.automattic.com
> > Subject: Re: [wp-hackers] E-mail address and SQL injection
> >
> > No, I think you misunderstood my post.  The following IS a VALID e-mail
> > address and will be accepted by the referenced e-mail validation:
> >
> >   "Some bad SQL code here"@example.com
> >
> > If we allow the above VALID e-mail address, is it possible to include
> > malicious SQL code?  I don't know enough about SQL to know if escaping
> > all
> > content before accessing the DB will work in this case.
> >
> > Bob
> >
> >
> > ----- Original Message -----
> > From: "Computer Guru" <computerguru at neosmart.net>
> > To: <wp-hackers at lists.automattic.com>
> > Sent: Saturday, October 20, 2007 11:13 AM
> > Subject: RE: [wp-hackers] E-mail address and SQL injection
> >
> >
> > It shouldn't be a problem in the current code which escapes all content
> > before accessing the DB.
> >
> > However, the whole point of that field is for a valid email address -
> > so
> > regardless of security implications or not, something that can't
> > possibly be
> > an email address shouldn't be accepted in the first place, IMHO....
> >
> > That's what the regex proposed in that ticket
> > <http://iamcal.com/publish/articles/php/parsing_email/> is for.
> >
> > Computer Guru
> > NeoSmart Technologies
> > http://neosmart.net/
> >
> > > -----Original Message-----
> > > From: wp-hackers-bounces at lists.automattic.com [mailto:wp-hackers-
> > > bounces at lists.automattic.com] On Behalf Of Bob
> > > Sent: Saturday, October 20, 2007 4:29 PM
> > > To: wp-hackers
> > > Subject: [wp-hackers] E-mail address and SQL injection
> > >
> > > WordPress is overly-restrictive on the e-mail addresses that it will
> > > accept.
> > > Ticket #4616 proposes that all valid e-mail addresses should be
> > > accepted.
> > > I'm concerned that one form of e-mail addresses may be a security
> > > problem.
> > >
> > > Specifically, the following is a valid e-mail address:
> > >
> > >   "Put anything you want here"@example.com
> > >
> > > The quoted string before the @ can contain any characters, including
> > > spaces
> > > and other characters not otherwise accepted in an e-mail address.  My
> > > concern is that SQL commands could be placed in the string to perform
> > > an SQL
> > > injection attack.
> > >
> > > Does anyone know if this is a possibility?  As part of #4616, I'm
> > > tempted to
> > > prohibit the above form of e-mail addresses unless someone knows for
> > > certain
> > > that it's safe.  (Note that those addresses are currently rejected.)
> > >
> > > Bob
> > >
> > > _______________________________________________
> > > wp-hackers mailing list
> > > wp-hackers at lists.automattic.com
> > > http://lists.automattic.com/mailman/listinfo/wp-hackers
> >
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers at lists.automattic.com
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
> >
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers at lists.automattic.com
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


More information about the wp-hackers mailing list