[Mimedefang] Re: sql integration of quarentine and others
Matt
matt at beyondzero.net
Wed Apr 4 10:35:41 EDT 2007
On Wed, Apr 04, 2007 at 09:32:22AM -0400, David F. Skoll wrote:
> Jeff Rife wrote:
> > If you truly worry about SQL injection from the contents of a full e-
> > mail message (which is highly unlikely),
>
> Really? I expect that ' and ; are quite commonly seen in e-mail, so you
> might not suffer an attack, but your SQL is quite likely to fail.
I've gotten a few failures in my code for implementing a SQL greylist
when an email address contains the ' character.
Most of them looked like spam so I never cared, but if there is even
the *remote* possibility of being able to inject SQL into an email
address (that would be impressive!) and compromise my machine, I ought
to sanitize the email addresses in MIMEDefang before calling my
greylisting routines.
Has anyone ever seen a legitimate email address with a ' character?
Matt
--
PGP RSA Key ID: 0x1F6A4471 aim: beyondzero123
PGP DH/DSS Key ID: 0xAFF35DF2 yahoo msg: beyondzero123
http://blogdayafternoon.com
Life is pain, Highness. Anyone who says differently is
selling something.
-Westley
More information about the MIMEDefang
mailing list