$str = '"mynam@blabl"@domanin.com';
filter_var($str, FILTER_VALIDATE_EMAIL);//return valid email.
the above email returns true... Fair enough that RFC 2822 says it's a legal email address.
my question is if you validate an email using the above could an email carry sql injections that can harm the db even though you have filtered it with filter_var?
my question is if you validate an email using the above could an email carry sql injections that can harm the db even though you have filtered it with filter_var?
filter_var is not a replacement for database specific sanitation like mysql_real_escape_string()! One needs to always apply that, too.
Yes - do not rely on anything besides the database specific escaping mechanism for safety from SQL injection.
Always use mysql_real_escape_string() on it before using it in SQL.
Also, it's not safe anyway. _VALIDATE_EMAIL allows single quotes ' and the backtick ` in it. (But cleansing functions should never be relied on, always context escape or use parameterized SQL.)
I tend to use FILTER_VALIDATE_EMAIL to check if the email is valid and then further down the line if the email needs to be saved into a database I would then strip out the dangerous characters. The mysql and mysqli libraries are pretty much dead in the water too so I would suggest using PDO which is a much safer option.
http://wiki.hashphp.org/PDO_Tutorial_for_MySQL_Developers
Also, the link below advises what characters are legal in an email address, backticks and single quotes are allowed in email address, hence probably why FILTER_VALIDATE_EMAIL does not pick them up...remember we're looking for invalid email addresses not dangerous email addresses.
Like anything when it comes to any programming language you should always keep security at the top of the list!
Never use VALIDATE, maybe you can use SANITILIZE but I don't recommend it anyway.
Consider this code:
$email = filter_var($_GET['email'], FILTER_VALIDATE_EMAIL);
$query = mysqli_query($sql, 'SELECT * FROM table WHERE email = "'.$email.'"');
The basic SQL Injection is " or 1 = 1, you have already heard about it. But we can't use espaces and we need to end this string with something like @something.com.
So, we start with " and add or'1'='1' this will work (because or1=1 will fail). Now we need the @email.com, let's add it as a MySQL comment (--@something.com). So, this is the result:
"or'1'='1'--"@email.com
This is valid email for filter_var and unsafe for mysqli_query.
来源:https://stackoverflow.com/questions/4154685/does-filter-validate-email-make-a-string-safe-for-insertion-in-database