有效的电子邮件地址-XSS和SQL注入 [英] Valid Email Addresses - XSS and SQL Injection
问题描述
由于电子邮件地址中的有效字符太多,因此是否有任何有效电子邮件地址本身可能是XSS攻击或SQL注入?我在网络上找不到任何信息。
Since there are so many valid characters for email addresses, are there any valid email addresses that can in themselves be XSS attacks or SQL injections? I couldn't find any information on this on the web.
电子邮件地址
的本地部分可能使用以下任何ASCII字符:
The local-part of the e-mail address may use any of these ASCII characters:
- 大写和小写英文字母(az,AZ)
- 数字0到9
- 字符! #$%& ’* +-/ =? ^ _`{| }〜
- 字符。 (点,句号,句号),前提是它不是最后一个
字符,并且还不能连续出现两次或
次(例如John..Doe @ example.com)。
- Uppercase and lowercase English letters (a–z, A–Z)
- Digits 0 to 9
- Characters ! # $ % & ' * + - / = ? ^ _ ` { | } ~
- Character . (dot, period, full stop) provided that it is not the last character, and provided also that it does not appear two or more times consecutively (e.g. John..Doe@example.com).
http://en.wikipedia.org/wiki/电子邮件地址#RFC_specification
I '不是问如何防止这些攻击(我已经在使用参数化查询和转义/ HTML净化器了),这更是一种概念验证。
I'm not asking how to prevent these attacks (I'm already using parametrized queries and escaping/HTML purifier), this is more a proof-of-concept.
首先想到的是'OR 1 = 1-@ gmail.com ,只是不允许使用空格。所有SQL注入都需要空格吗?
The first thing that came to mind was 'OR 1=1--@gmail.com, except that spaces are not allowed. Do all SQL injections require spaces?
推荐答案
如果空格用引号引起来,则允许使用空格,因此'OR 1 = 1- @ gmail.com 是有效的电子邮件地址。另外,可能不太在意,但是从技术上来讲,它们都是有效的电子邮件地址:
Spaces are allowed if they are enclosed in quotes, however, so "'OR 1=1--"@gmail.com is a valid e-mail address. Also, it's probably less of a concern, but technically speaking, these are both valid e-mail addresses:
' BAD SQL STUFF -- <fake@ryanbrunner.com>
fake@ryanbrunner.com (' BAD SQL STUFF --)
即使不是
是不可能的,您仍然没有理由不应该使用参数化查询并对所有显示给用户的用户输入数据进行编码。
Even if this wasn't possible, there's still no reason that you shouldn't be using paramaterized queries and encoding all user-inputted data displayed to users.
这篇关于有效的电子邮件地址-XSS和SQL注入的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
