Does FILTER_VALIDATE_EMAIL make a string safe for insertion in database?

Asked 11/11, 2010 at 13:6 Answered 6/8, 2017 at 19:49

$str = '"mynam@blabl"@domanin.com';

filter_var($str, FILTER_VALIDATE_EMAIL);//return valid email.

the above email returns true... Fair enough that RFC 2822 says it's a legal email address.

my question is if you validate an email using the above could an email carry sql injections that can harm the db even though you have filtered it with filter_var?

Cockneyism answered 11/11, 2010 at 13:6 Comment(2)

I changed the title slightly to make it better findable for future generations – Demonstrator 11/11, 2010 at 13:20

Thanx I was 99% sure that it's not safe for sql as it is. But still 1% is a big risk. – Cockneyism 11/11, 2010 at 13:23

my question is if you validate an email using the above could an email carry sql injections that can harm the db even though you have filtered it with filter_var?

filter_var is not a replacement for database specific sanitation like mysql_real_escape_string()! One needs to always apply that, too.

Demonstrator answered 11/11, 2010 at 13:10 Comment(3)

Are there examples of XSS or SQL Injection that would validate as a valid email address under that filter? (Asking out of academic curiousity; there's obviously no reason not to use mysql_real_escape_string() or a similar escaping function.). – Rasmussen 11/11, 2010 at 13:29

"1=1"@domain.com could be one. But not too sure. – Cockneyism 11/11, 2010 at 13:34

@yc Good question! I can't think of one off the top of my head, but the danger is great that it's possible using some clever combination. – Demonstrator 11/11, 2010 at 14:0

Yes - do not rely on anything besides the database specific escaping mechanism for safety from SQL injection.

Always use mysql_real_escape_string() on it before using it in SQL.

Endeavor answered 11/11, 2010 at 13:11 Comment(0)

Also, it's not safe anyway. _VALIDATE_EMAIL allows single quotes ' and the backtick ` in it. (But cleansing functions should never be relied on, always context escape or use parameterized SQL.)

Glycogenesis answered 11/11, 2010 at 13:35 Comment(0)

I tend to use FILTER_VALIDATE_EMAIL to check if the email is valid and then further down the line if the email needs to be saved into a database I would then strip out the dangerous characters. The mysql and mysqli libraries are pretty much dead in the water too so I would suggest using PDO which is a much safer option.

http://wiki.hashphp.org/PDO_Tutorial_for_MySQL_Developers

Also, the link below advises what characters are legal in an email address, backticks and single quotes are allowed in email address, hence probably why FILTER_VALIDATE_EMAIL does not pick them up...remember we're looking for invalid email addresses not dangerous email addresses.

Like anything when it comes to any programming language you should always keep security at the top of the list!

http://email.about.com/cs/standards/a/email_addresses.htm

Dric answered 16/1, 2013 at 0:50 Comment(0)

Never use VALIDATE, maybe you can use SANITILIZE but I don't recommend it anyway.

Consider this code:

$email = filter_var($_GET['email'], FILTER_VALIDATE_EMAIL);
$query = mysqli_query($sql, 'SELECT * FROM table WHERE email = "'.$email.'"');

The basic SQL Injection is " or 1 = 1, you have already heard about it. But we can't use espaces and we need to end this string with something like @something.com.

So, we start with " and add or'1'='1' this will work (because or1=1 will fail). Now we need the @email.com, let's add it as a MySQL comment ([email protected]). So, this is the result:

"or'1'='1'--"@email.com

Test it.

This is valid email for filter_var and unsafe for mysqli_query.

Tharpe answered 6/8, 2017 at 19:49 Comment(0)

Recommended topics

Hot tags