Reputation: 17522
Does FILTER_VALIDATE_EMAIL make a string safe for insertion in database?
$str = '"mynam@blabl"@domanin.com';
filter_var($str, FILTER_VALIDATE_EMAIL);//return valid email.
the above email returns true... Fair enough that RFC 2822 says it's a legal email address.
my question is if you validate an email using the above could an email carry sql injections that can harm the db even though you have filtered it with filter_var?
Upvotes: 6
Views: 3278
Answers (5)
Reputation: 1091
Never use VALIDATE, maybe you can use SANITILIZE but I don't recommend it anyway.
Consider this code:
$email = filter_var($_GET['email'], FILTER_VALIDATE_EMAIL);
$query = mysqli_query($sql, 'SELECT * FROM table WHERE email = "'.$email.'"');
The basic SQL Injection is " or 1 = 1, you have already heard about it. But we can't use espaces and we need to end this string with something like @something.com.
So, we start with " and add or'1'='1' this will work (because or1=1 will fail). Now we need the @email.com, let's add it as a MySQL comment ([email protected]). So, this is the result:
"or'1'='1'--"@email.com
This is valid email for filter_var and unsafe for mysqli_query.
Upvotes: 1
Reputation: 11
I tend to use FILTER_VALIDATE_EMAIL to check if the email is valid and then further down the line if the email needs to be saved into a database I would then strip out the dangerous characters. The mysql and mysqli libraries are pretty much dead in the water too so I would suggest using PDO which is a much safer option.
http://wiki.hashphp.org/PDO_Tutorial_for_MySQL_Developers
Also, the link below advises what characters are legal in an email address, backticks and single quotes are allowed in email address, hence probably why FILTER_VALIDATE_EMAIL does not pick them up...remember we're looking for invalid email addresses not dangerous email addresses.
Like anything when it comes to any programming language you should always keep security at the top of the list!
http://email.about.com/cs/standards/a/email_addresses.htm
Upvotes: 1
Reputation: 490183
Yes - do not rely on anything besides the database specific escaping mechanism for safety from SQL injection.
Always use mysql_real_escape_string() on it before using it in SQL.
Upvotes: 2
Reputation: 145482
Also, it's not safe anyway. _VALIDATE_EMAIL allows single quotes ' and the backtick ` in it. (But cleansing functions should never be relied on, always context escape or use parameterized SQL.)
Upvotes: 1
Reputation: 449395
my question is if you validate an email using the above could an email carry sql injections that can harm the db even though you have filtered it with filter_var?
filter_var is not a replacement for database specific sanitation like mysql_real_escape_string()! One needs to always apply that, too.
Upvotes: 5
Related Questions
- Should I use filter_var to validate email?
- PHP FILTER_VALIDATE_EMAIL does not work correctly
- Does PHP's FILTER_VALIDATE_EMAIL provide adequate security?
- Why does PHP filter_var say that this is a valid email address?
- how efficently may i use filter_var($email, FILTER_VALIDATE_EMAIL).?
- Does PHP's filter_var FILTER_VALIDATE_EMAIL actually work?
- How to validate emails in PHP using filter_var() function.
- Alternative to filter_var($email, FILTER_VALIDATE_EMAIL)
- filter_var or custom function for email validation in php
- Mail validation with PHP filter_var() or with regular expression