Does FILTER_VALIDATE_EMAIL make a string safe for insertion in database?

Question

$str = \'\"mynam@blabl\"@domanin.com\';

filter_var($str, FILTER_VALIDATE_EMAIL);//return valid email.

the above email returns true... Fair enough

Answer 1

Never use VALIDATE, maybe you can use SANITILIZE but I don't recommend it anyway.

---

Consider this code:

$email = filter_var($_GET['email'], FILTER_VALIDATE_EMAIL);
$query = mysqli_query($sql, 'SELECT * FROM table WHERE email = "'.$email.'"');

---

The basic SQL Injection is " or 1 = 1, you have already heard about it. But we can't use espaces and we need to end this string with something like @something.com.

So, we start with " and add or'1'='1' this will work (because or1=1 will fail). Now we need the @email.com, let's add it as a MySQL comment (--@something.com). So, this is the result:

"or'1'='1'--"@email.com

Test it.

This is valid email for filter_var and unsafe for mysqli_query.