[wp-hackers] E-mail address and SQL injection

Rob Miller r at robm.me.uk
Sun Oct 21 06:37:51 GMT 2007


Bob wrote:
> No, I think you misunderstood my post.  The following IS a VALID 
> e-mail address and will be accepted by the referenced e-mail validation:
>
>  "Some bad SQL code here"@example.com
>
> If we allow the above VALID e-mail address, is it possible to include 
> malicious SQL code?  I don't know enough about SQL to know if escaping 
> all content before accessing the DB will work in this case.
>
> Bob
>

Nope, it's fine. It's the same as posts; you can use all manner of 
special characters and SQL statements in a post, but because the content 
is escaped before being used in a DB query there's no way they'll affect 
anything.

-- 
Rob Miller
http://robm.me.uk/



More information about the wp-hackers mailing list