6
$str = '"mynam@blabl"@domanin.com';

filter_var($str, FILTER_VALIDATE_EMAIL);//return valid email.

the above email returns true... Fair enough that RFC 2822 says it's a legal email address.

my question is if you validate an email using the above could an email carry sql injections that can harm the db even though you have filtered it with filter_var?

Pekka
  • 442,112
  • 142
  • 972
  • 1,088
Val
  • 17,336
  • 23
  • 95
  • 144

5 Answers5

5

my question is if you validate an email using the above could an email carry sql injections that can harm the db even though you have filtered it with filter_var?

filter_var is not a replacement for database specific sanitation like mysql_real_escape_string()! One needs to always apply that, too.

Pekka
  • 442,112
  • 142
  • 972
  • 1,088
  • Are there examples of XSS or SQL Injection that would validate as a valid email address under that filter? (Asking out of academic curiousity; there's obviously no reason not to use `mysql_real_escape_string()` or a similar escaping function.). – Yahel Nov 11 '10 at 13:29
  • "1=1"@domain.com could be one. But not too sure. – Val Nov 11 '10 at 13:34
  • 1
    @yc Good question! I can't think of one off the top of my head, but the danger is great that it's possible using some clever combination. – Pekka Nov 11 '10 at 14:00
2

Yes - do not rely on anything besides the database specific escaping mechanism for safety from SQL injection.

Always use mysql_real_escape_string() on it before using it in SQL.

alex
  • 479,566
  • 201
  • 878
  • 984
1

I tend to use FILTER_VALIDATE_EMAIL to check if the email is valid and then further down the line if the email needs to be saved into a database I would then strip out the dangerous characters. The mysql and mysqli libraries are pretty much dead in the water too so I would suggest using PDO which is a much safer option.

http://wiki.hashphp.org/PDO_Tutorial_for_MySQL_Developers

Also, the link below advises what characters are legal in an email address, backticks and single quotes are allowed in email address, hence probably why FILTER_VALIDATE_EMAIL does not pick them up...remember we're looking for invalid email addresses not dangerous email addresses.

Like anything when it comes to any programming language you should always keep security at the top of the list!

http://email.about.com/cs/standards/a/email_addresses.htm

getupkid84
  • 11
  • 1
1

Also, it's not safe anyway. _VALIDATE_EMAIL allows single quotes ' and the backtick ` in it. (But cleansing functions should never be relied on, always context escape or use parameterized SQL.)

mario
  • 144,265
  • 20
  • 237
  • 291
1

Never use VALIDATE, maybe you can use SANITILIZE but I don't recommend it anyway.

Consider this code:

$email = filter_var($_GET['email'], FILTER_VALIDATE_EMAIL);
$query = mysqli_query($sql, 'SELECT * FROM table WHERE email = "'.$email.'"');

The basic SQL Injection is " or 1 = 1, you have already heard about it. But we can't use espaces and we need to end this string with something like @something.com.

So, we start with " and add or'1'='1' this will work (because or1=1 will fail). Now we need the @email.com, let's add it as a MySQL comment (--@something.com). So, this is the result:

"or'1'='1'--"@email.com

Test it.

This is valid email for filter_var and unsafe for mysqli_query.

Inkeliz
  • 892
  • 1
  • 13
  • 25