[Mimedefang] Re: sql integration of quarentine and others
Jan-Pieter Cornet
johnpc at xs4all.nl
Wed Apr 4 17:54:45 EDT 2007
On Wed, Apr 04, 2007 at 10:35:41AM -0400, Matt wrote:
> I've gotten a few failures in my code for implementing a SQL greylist
> when an email address contains the ' character.
>
> Most of them looked like spam so I never cared, but if there is even
> the *remote* possibility of being able to inject SQL into an email
> address (that would be impressive!) and compromise my machine, I ought
> to sanitize the email addresses in MIMEDefang before calling my
> greylisting routines.
Really people. And I thought only PHP "programmers" were dumb enough
to ever include unchecked user input into SQL statements.
Just *always* use placeholders. If that's too much typing for you,
use a convenience library like DBIx::Simple.
> Has anyone ever seen a legitimate email address with a ' character?
This is a valid email address:
<"x'; DROP TABLE whitelist; '"@pc.xs4all.nl>. Which I have just
created for the occasion.
Happy now? :)
(and yes, I've seen otherwise legitimate email addresses containing
a single quote character. Those did not contain valid SQL syntax,
because the quote was part of a real name. The above special crafted
address may not result in any damage to your database either, but it's
at least conceivable it could.)
--
Jan-Pieter Cornet <johnpc at xs4all.nl>
!! Disclamer: The addressee of this email is not the intended recipient. !!
!! This is only a test of the echelon and data retention systems. Please !!
!! archive this message indefinitely to allow verification of the logs. !!
More information about the MIMEDefang
mailing list