15

Since there are so many valid characters for email addresses, are there any valid email addresses that can in themselves be XSS attacks or SQL injections? I couldn't find any information on this on the web.

The local-part of the e-mail address may use any of these ASCII characters:

  • Uppercase and lowercase English letters (a–z, A–Z)
  • Digits 0 to 9
  • Characters ! # $ % & ' * + - / = ? ^ _ ` { | } ~
  • Character . (dot, period, full stop) provided that it is not the last character, and provided also that it does not appear two or more times consecutively (e.g. John..Doe@example.com).

http://en.wikipedia.org/wiki/E-mail_address#RFC_specification

I'm not asking how to prevent these attacks (I'm already using parametrized queries and escaping/HTML purifier), this is more a proof-of-concept.

The first thing that came to mind was 'OR 1=1--@gmail.com, except that spaces are not allowed. Do all SQL injections require spaces?

Joel Coehoorn
  • 399,467
  • 113
  • 570
  • 794
Lotus Notes
  • 6,302
  • 7
  • 32
  • 47

2 Answers2

17

Spaces are allowed if they are enclosed in quotes, however, so "'OR 1=1--"@gmail.com is a valid e-mail address. Also, it's probably less of a concern, but technically speaking, these are both valid e-mail addresses:

' BAD SQL STUFF -- <fake@ryanbrunner.com>
fake@ryanbrunner.com (' BAD SQL STUFF --)

Even if this wasn't possible, there's still no reason that you shouldn't be using paramaterized queries and encoding all user-inputted data displayed to users.

Ryan Brunner
  • 14,723
  • 1
  • 36
  • 52
  • Can use http://isemail.info/ to check for any email address you like, or otherwise just test with a filter on injectable email addresses via some php function like filter validate email. Based on isemail.info, the first address is invalid, and the second address is "Address is valid within the message but cannot be used unmodified for the envelope" – Kzqai Apr 26 '12 at 23:11
  • Not only are there no reasons not to use parameterized queries, there are *additional reasons* beyond just security to use them. Although uncommon in emails, I've found that there are a ton of legit user-submitted data that contains quotes or other encapsulating characters typically used in injection attacks, that will generate an error or failed query with a non-parameterized query. The only time I ever use a non-parameterized query is if the data itself is restricted to the appropriate types, like integers, or rarely a strictly alphanumeric string. – cazort Nov 22 '21 at 19:59
-7
/^[a-z0-9.-_+]@[a-z0-9.-]$/i

i think that matches like 99.9999% of all emails addresses ;)

Toby
  • 2,720
  • 5
  • 29
  • 46
  • 2
    btw. thats only to verify if the text is not packed with xss/sql injections etc. - its not a way to validate an email address. – Toby May 27 '10 at 18:29
  • @RaviMattar usually it happens when you don't explain enough and it looks too easy then people will downvote :) – Toby Apr 18 '22 at 19:35