[Mimedefang] Re: sql integration of quarentine and others

Jan-Pieter Cornet johnpc at xs4all.nl
Wed Apr 4 17:54:45 EDT 2007


On Wed, Apr 04, 2007 at 10:35:41AM -0400, Matt wrote:
> I've gotten a few failures in my code for implementing a SQL greylist
> when an email address contains the ' character.
> 
> Most of them looked like spam so I never cared, but if there is even
> the *remote* possibility of being able to inject SQL into an email
> address (that would be impressive!) and compromise my machine, I ought
> to sanitize the email addresses in MIMEDefang before calling my
> greylisting routines.

Really people. And I thought only PHP "programmers" were dumb enough
to ever include unchecked user input into SQL statements.

Just *always* use placeholders. If that's too much typing for you,
use a convenience library like DBIx::Simple.

> Has anyone ever seen a legitimate email address with a ' character?

This is a valid email address:

<"x'; DROP TABLE whitelist; '"@pc.xs4all.nl>. Which I have just
created for the occasion.

Happy now? :)

(and yes, I've seen otherwise legitimate email addresses containing
a single quote character. Those did not contain valid SQL syntax,
because the quote was part of a real name. The above special crafted
address may not result in any damage to your database either, but it's
at least conceivable it could.)

-- 
Jan-Pieter Cornet <johnpc at xs4all.nl>
!! Disclamer: The addressee of this email is not the intended recipient. !!
!! This is only a test of the echelon and data retention systems. Please !!
!! archive this message indefinitely to allow verification of the logs.  !!



More information about the MIMEDefang mailing list