[Mimedefang] Re: sql integration of quarentine and others

Matt matt at beyondzero.net
Wed Apr 4 10:35:41 EDT 2007


On Wed, Apr 04, 2007 at 09:32:22AM -0400, David F. Skoll wrote:
> Jeff Rife wrote:

> > If you truly worry about SQL injection from the contents of a full e-
> > mail message (which is highly unlikely),
> 
> Really?  I expect that ' and ; are quite commonly seen in e-mail, so you
> might not suffer an attack, but your SQL is quite likely to fail.

I've gotten a few failures in my code for implementing a SQL greylist
when an email address contains the ' character.

Most of them looked like spam so I never cared, but if there is even
the *remote* possibility of being able to inject SQL into an email
address (that would be impressive!) and compromise my machine, I ought
to sanitize the email addresses in MIMEDefang before calling my
greylisting routines.

Has anyone ever seen a legitimate email address with a ' character?


Matt

-- 
PGP RSA Key ID:    0x1F6A4471                      aim: beyondzero123
PGP DH/DSS Key ID: 0xAFF35DF2                yahoo msg: beyondzero123
http://blogdayafternoon.com 

Life is pain, Highness.  Anyone who says differently is
selling something.
     -Westley




More information about the MIMEDefang mailing list