Valid Email Addresses - XSS and SQL Injection
Posted
by PAAMAYIM_NEKUDOTAYIM
on Stack Overflow
See other posts from Stack Overflow
or by PAAMAYIM_NEKUDOTAYIM
Published on 2010-05-27T18:01:52Z
Indexed on
2010/05/27
18:31 UTC
Read the original article
Hit count: 253
Since there are so many valid characters for email addresses, are there any valid email addresses that can in themselves be XSS attacks or SQL injections? I couldn't find any information on this on the web.
The local-part of the e-mail address may use any of these ASCII characters:
- Uppercase and lowercase English letters (a–z, A–Z)
- Digits 0 to 9
- Characters ! # $ % & ' * + - / = ? ^ _ ` { | } ~
- Character . (dot, period, full stop) provided that it is not the last character, and provided also that it does not appear two or more times consecutively (e.g. [email protected]).
http://en.wikipedia.org/wiki/E-mail_address#RFC_specification
I'm not asking how to prevent these attacks (I'm already using parametrized queries and HTML purifier), this is more a proof-of-concept.
The first thing that came to mind was 'OR [email protected]
, except that spaces are not allowed. Do all SQL injections require spaces?
© Stack Overflow or respective owner